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ABSTRACT 

\1 

Failure  Mode  and  Effect  Analysis  (FMEA)  is  a systematic 
approach  which  evaluates  a system  with  respect  to  its  most 
possible  failures.  This  is  accomplished  by  first  making  the 
basic  assumption  that  the  system  has  failed  and  then  hypoth- 
esizing specific  failure  modes,  failure  causes  and  failure 
effects.  Also  included  is  a determination  of  some  measure  of 
failure  probability  and  the  assignment  of  a criticality  clas- 
sification. The  study  examines  this  process  through  the  for- 
mulation of  a FMEA  on  a hypothetical  system.  The  way  in 
which  FMEA  is  currently  employed  in  Air  Force  defense  system 
procurements  is  reviewed  and  the  potential  benefits  of  the 
expanded  utilization  are  explored.  The  study  concludes  that 
the  lack  of  understanding  of  the  basic  concepts  and  the 
reliability  oriented  use  of  FMEA  precludes  much  of  its  poten- 
tial benefit  to  the  Air  Force  Program  Manager.  Certain 
benefits  are  emphasized  if  the  recommended  changes  to  the 
philosophy  surrounding  the  FMEA  process  should  be  adopted. 
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EXECUTIVE  SUMMARY 

Failure  Mode  and  Effect  Analysis  (FMEA)  is  a systematic 
approach  to  the  analysis  of  the  capabilities  and  performance 
of  a system  with  respect  to  the  areas  of  its  possible 
failure.  In  contrast,  a reliability  analysis  is  concerned 
with  the  probability  that  a system  will  operate  successfully 
within  defined  specifications  over  a specified  period  of 
time.  Essentially,  the  FMEA  is  a deterministic  analysis  be- 
cause it  makes  the  basic  assumption  that  the  system  has 
failed,  regardless  of  the  results  of  the  reliability  analysis. 
Then,  the  FMEA  proceeds  with  a hypothetical  determination  of 
how  the  system  failed,  known  as  the  Failure  Mode,  and  the 
effect  that  this  failure  will  have  on  the  system  capabilities 
and  performance,  known  as  the  Failure  Effect.  Currently, 
this  analysis  is  carried  out  through  the  entire  system  struc- 
ture from  the  overall  system  level  to  the  lowest  level  of 
individual  components. 

The  purpose  of  this  study  is  to  analyze  the  important 
aspects  of  Failure  Mode  and  Effect  Analysis.  This  analysis 
is  limited  to  the  relationship  of  FMEA  to  defense  system  pro- 
curement in  the  Air  Force  and  the  role  it  can  play  in  Air 
Force  Program  Management.  The  study  builds  a 'failure  model' 
of  a hypothetical  system  and  fits  its  use  into  the  procure- 
ment system.  Then,  it  examines  the  ways  in  which  this  con- 
cept can  be  employed  in  streamlining  the  procurement  process 
and  in  providing  the  Air  Force  Program  Manager  with  an  effec- 
tive management  tool. 

Failure  Mode  and  Effect  Analysis  is  a potentially  valu- 
able tool  for  the  Air  Force  Program  Manager.  However,  an 
extensive  study  of  the  current  role  of  FMEA  in  Air  Force 
Program  Management  has  shown  that  the  use  of  FMEA  as  a man- 
agement tool  is  hindered  by  the  current  philosophy  which 
surrounds  the  process.  This  philosophy  has  resulted  in 
procedures  which  tend  to  continue  to  limit  the  scope  of  FMEA 
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utilization  and  which  contribute  to  the  development  of  FMEA 
as  a process  which  becomes  increasingly  separated  from 
management . 

A study  of  Air  Force  procurement  effort  shows  that  the 
procedures  for  formulating  and  evaluating  a FMEA  are  not  well 
defined.  This  study  has  found  that  little  documentation, 
either  in  the  form  of  Air  Force  Manuals  or  Pamphlets,  exists 
to  aid  the  Program  Manager  in  his  efforts  to  understand  and 
employ  the  FMEA  process.  In  addition,  it  has  been  found  that 
the  potential  benefits  which  result  from  a comprehensive  use 
of  FMEA  are  sacrificed  because  of  the  lack  of  emphasis  placed 
upon  the  process.  Consequently,  such  benefits  as  the  early 
assessment  of  program  feasibility,  visibility  of  the  dollar 
impact  of  design  changes,  efficient  evaluation  of  the  dollar 
impact  of  trade-offs  to  the  parameters  of  cost,  schedule  and 
performance,  and  the  quick  assessment  of  the  progress  and 
maturity  of  the  system  development  become  lost.  Primarily, 
this  is  due  to  the  lack  of  information  available,  and  the 
small  amount  of  training  available,  on  FMEA. 

Currently,  FMEA  is  primarily  a reiteration  of  the  quan- 
titative determinations  of  the  reliability  analysis.  In 
order  for  the  full  benefit  of  the  FMEA  process  to  be  real- 
ized, this  study  has  found  that  FMEA  must  become  divorced 
from  the  numerics  of  the  reliability  analysis  because  its 
full  potential  lies  in  its  ability  to  provide  information  for 
qualitative  management  decisions.  This  study  recommends  that 
the  FMEA  make  use  of  a technique  which  associates  failure 
probability  and  failure  rate  data  with  a predetermined  set  of 
ranges.  These  ranges  allow  more  flexibility  in  the  decision 
making  process  because  the  dependency  of  the  FMEA  upon 
specific  numbers  is  reduced. 

A major  factor  found  by  this  study  which  hinders  the 
wide  use  of  FMEA  is  its  current  dependency  upon  a rather  well 
developed  design  of  the  system.  This  is  yet  another  aspect 
of  the  current  philosophy  which  must  be  changed  in  order  to 
derive  expanded  benefit  from  FMEA.  The  evaluation  of  a 
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defense  alternative  while  it  is  in  the  conceptual  phase  of 
development,  before  it  becomes  a definitive  design  and 
before  the  initiation  of  design  reviews,  can  provide  manage- 
ment with  indications  of  its  feasibility  and  emphasize 
problem  areas  early  in  the  acquisition  cycle  when  costs  are 
lower . 

In  order  to  better  enable  Program  Management  to  retain 
visibility  of  the  progress  of  a system  development  the  in- 
corporation of  the  FMEA  Transition  Summary  is  recommended. 
This  supplement  to  the  FMEA  is  not  a summary  of  the  contents 
of  the  FMEA,  but  is  a summary  of  the  changes  which  have 
taken  place  to  the  FMEA,  especially  between  design  reviews 
and  as  design  changes  take  place.  The  Summary  provides  real- 
time visibility  over  the  progress  of  the  system  development 
because  as  design  changes  take  place,  and  the  contractor  sub- 
mits an  amended  Summary,  Program  Management  can  directly 
relate  their  impact  to  the  system  objectives.  The  Transition 
Summary  also  provides  a vehicle  for  evaluating  the  dollar 
impact  of  trade-offs  to  cost,  schedule  and  performance 
requirements . 

Also  recommended  is  the  use  of  the  Failure-Criticality 
Grid  which  provides  a method  for  visualizing  the  relation- 
ships of  failure  and  criticality  classification.  This  can  be 
especially  beneficial  to  the  Program  Manager  in  his  efforts 
in  determining  the  capability  of  the  system  development  to 
meet  specific  design  goals  and  defense  objectives,  allocating 
resources  to  critical  areas  of  the  procurement  effort, 
establishing  the  dollar  impact  of  design  changes,  and  in 
evaluating  the  progress  and  maturity  of  the  system  develop- 
ment. This  study  has  found  that,  owing  to  its  size  and  com- 
plexity, a FMEA  accomplished  with  current  techniques  is 
extremely  difficult  to  analyze  with  respect  to  the  relative 
occurrence  of  any  single  criticality  classification  and  the 
distribution  of  all  criticality  classifications  over  the 
entire  system.  The  Failure-Criticality  Grid  clearly  fulfills 


this  need  and  provides  the  primary  benefit  of  providing  the 
Program  Manager  with  visibility  of  the  entire  system  devel- 
opment . 

The  true  validity  and  cost  effectiveness  of  the  FMEA 
process  lies  in  its  capability  to  be  applied  to  a diverse 
number  of  areas  of  the  procurement  effort.  This  study  has 
found  that  the  current  structure  of  FMEA  and  the  general 
philosophy  surrounding  its  use  have  acted  as  deferents  to  its 
being  employed  to  its  full  potential.  This  is  especially 
true  in  the  broad  area  of  logistics  support.  A change  in  the 
current  philosophy,  and  the  subsequent  change  in  the  pro- 
cedures, can  result  in  a wider  use  and  acceptance  of  FMEA. 

As  the  scope  of  FMEA  use  increases  to  cover  more  aspects  of 
the  procurement  effort,  its  validity  and  cost  effectiveness 
increase . 
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I . INTRODUCTION 

Failure  Mode  and  Effect  Analysis,  known  as  FMEA,  is  a 
systematic  process  of  analyzing  the  capabilities  and  perfor- 
mance of  a system  with  respect  to  the  areas  of  its  possible 
failure.  In  contrast,  a reliability  analysis  is  concerned 
with  the  probability  that  a system  will  operate  successfully 
within  defined  specifications  over  a specified  period  of 
time.  Essentially,  the  FMEA  is  a deterministic  analysis  be- 
cause it  makes  the  basic  assumption  that  the  system  has 
failed,  regardless  of  the  results  of  the  reliability  analysis. 
Then,  the  FMEA  proceeds  with  a hypothetical  determination  of 
how  the  system  failed,  known  as  the  Failure  Mode,  and  the 
effect  that  this  failure  will  have  on  the  system  capabilities 
and  performance,  known  as  the  Failure  Effect.  Currently, 
this  analysis  is  carried  out  through  the  entire  system  struc- 
ture from  the  overall  system  level  to  the  lowest  level  of 
individual  components. 

FMEA  is  required  on  all  major  defense  system  acquisi- 
tions made  by  the  Department  of  Defense  (DOD).  A detailed 
study  of  the  process  as  it  is  performed  by  all  branches  of 
the  DOD  would  be  too  extensive  for  proper  evaluation.  There- 
fore, this  study  deals  specifically  with  the  role  of  FMEA  in 
the  management  of  defense  system  procurements  by  the  United 
States  Air  Force. 

Failure  Mode  and  Effect  Analysis  is  required  on  every 
major  Air  Force  procurement  effort,  as  established  by  Military 
Standard  (MIL-STD)  Number  785A.  (1)  This  written  requirement 
is  minimal  in  scope  in  that  it  does  not  describe  the  basic 
concepts  of  FMEA  or  reference  a MIL-STD  that  does,  and  no  Air 
Force  documentation  is  available  to  fully  explain,  or  supple- 
ment, it.  Therefore,  the  lack  of  information  on  this  process 
is  a significant  problem  to  the  Air  Force  Program  Manager. 

It  is  not  realistic  to  require  the  Program  Manager  to  properly 
employ  this  potentially  valuable  tool  if  he  is  unaware  of  its 
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basic  concepts,  its  current  and  potential  uses,  and  its  capa- 
bilities. 

A.  PURPOSE  OF  THE  STUDY 

The  purpose  of  this  study  is  to  analyze  the  important 
aspects  of  Failure  Modes  and  Effects  Analysis.  This  analysis 
will  be  limited  to  the  relationship  of  FMEA  to  defense  system 
procurement  in  the  Air  Force  and  the  role  it  can  play  in  Air 
Force  Program  Management.  The  study  will  endeavor  to  build  a 
'failure  model'  of  a hypothetical  system  and  fit  its  use  into 
the  procurement  system,  under  current  conditions.  Then,  it 
will  be  necessary  to  explore  the  ways  in  which  this  concept 
can  be  utilized  in  streamlining  the  procurement  process  and 
in  providing  the  Air  Force  Program  Manager  with  an  effective 
management  tool. 

As  previously  mentioned,  the  major  problem  confronted  in 
an  attempt  to  contrast  the  effectiveness  of  various  Failure 
Mode  and  Effect  Analyses  is  the  lack  of  information.  There 
is  no  single  guiding  directive,  relative  to  Air  Force  pro- 
curement procedures,  which  specifically  delineates  the 
required  process  or  the  minimum  informational  content  neces- 
sary. Essentially,  the  company  which  accomplishes  the  FMEA 
applies  their  individual  interpretation  of  MIL-STD-785A  to 
their  particular  effort,  and  is  correct  in  doing  so  as  long 
as  they  satisfy  that  basic  requirement.  Consequently,  there 
is  no  straight-forward  manner  in  which  these  specific  analyses 
can  be  contrasted  since  no  documented  rationale  exists  to 
explain  their  formulation.  Therefore,  no  effort  will  be  made 
here  to  directly  compare  a specific  FMEA  from  some  arbitrary 
Company  A with  that  of  one  of  Company  B and  point  out  the 
benefits  and  deficiencies.  The  objective  of  this  study  is  to 
combine  the  important  aspects  of  Failure  Modes  and  Effects 
Analysis,  present  a model  FMEA,  and  draw  conclusions  as  to 
the  current  deficiencies  and  future  benefits  of  the  entire 
FMEA  endeavor . 
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B.  STATEMENT  OF  THE  PROBLEM 

Currently,  Failure  Mode  and  Effect  Analysis  is  a re- 
quirement of  every  major  Air  Force  defense  system  procurement 
as  directed  by  Military  Standard  785A.  Funds  and  time  are 
expended  by  civilian  contractors  in  analyzing  designs,  com- 
piling data  and  formulating  reports  to  satisfy  this  require- 
ment. Even  after  all  this,  little  seems  to  be  known  about 
the  process  outside  of  the  select  few  who  are  involved  in  its 
accomplishment.  No  Military  Standard,  Air  Force  Manual  or 
Pamphlet  exists  to  supplement  the  basic  requirement.  Few 
textbooks  in  reliability,  quality  control  or  project  manage- 
ment approach  the  subject,  and  those  which  do  describe  it  in 
a few  superficial  paragraphs.  Much  of  the  FMEA  information 
and  procedures  available  to,  and  utilized  by,  civilian  con- 
tractors seems  to  be  in  the  form  of  corporate  Standard  Prac- 
tices which  have  gained  their  current  status  through  a trial 
and  error  process.  Essentially,  FMEA  seems  to  be  an  impor- 
tant process  about  which  little  indepth  information  is  avail- 
able. 

Tb3  lack  of  information  available  on  FMEA  constitutes  a 
significant  problem.  Consequently,  the  Air  Force  Program  Man- 
ager is  faced  with  the  situation  of  being  required  to  manage 
the  FMEA  effort  on  a continuing  basis  without  the  knowledge 
necessary  to  evaluate  its  validity  or  support  its  worth. 

It  is  becoming  increasingly  important  that  the  Air  Force 
derive  maximum  dollar  benefit  from  all  procurement  oriented 
efforts.  The  Air  Force  Program  Manager  is  entrusted  with  the 
responsibility  of  assuring  that  all  facets  of  a procurement 
process  mesh  efficiently  and  that  all  requirements  are  thor- 
oughly and  economically  carried  out.  Clearly,  it  is  difficult 
to  determine  if  maximum  benefit  is  being  derived  from  FMEA 
with  so  little  information  available. 

Therefore,  the  problem  confronted  here  is  one  of  building 
a detailed  framework  of  the  FMEA  process.  This  framework  con- 
sists not  only  of  the  foundations  of  the  concept  of  FMEA  but 
also  how  it  relates  to  the  procurement  process. 
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II.  RESEARCh  INFORMATION 


Research  for  this  study  was  accomplished  through  an 
extensive  literature  review  and  through  numerous  personal 
interviews.  The  following  is  a discussion  of  the  results  of 
this  effort  which  spanned  a time  frame  of  approximately  18 
months.  Involved  in  this  was  the  review  of  over  700  arti- 
cles, papers  and  books,  and  approximately  5000  miles  of  trav- 
el by  the  author  for  the  interviews. 

A.  LITERATURE  REVIEW 

The  basic  requirement  for  the  accomplishment  of  a 
Failure  Mode  and  Effect  Analysis  in  all  major  Air  Force 
defense  system  procurements  is  given  in  Military  Standard 
785A  (2)  as  follows: 

"The  primary  purpose  of  FMEA  is  to  identify  potential 
system  weaknesses.  Each  potential  failure  shall  be 
evaluated  to  determine  its  effect  on  mission  accom- 
plishment and  ranked  as  to  its  criticality.  Mission 
critical  failures  shall  be  further  investigated  as 
to  failure  mode  to  determine  design  improvements  re- 
quired to  eliminate  failure  causes  or  reduce  risks 
to  acceptable  levels.  The  FMEA  should  be  planned  as 
a continuing  effort  to  give  design  guidance,  and  pro- 
vide data  for  consideration  in  each  design  review." 

In  attempting  to  define  how  to  fulfill  this  requirement, 
the  Program  Manager  is  immediately  faced  with  the  lack  of 
indepth  information  on  Failure  Mode  and  Effect  Analysis, 
especially  that  concerning  the  role  of  FMEA  in  the  management 
of  a system  acquisition.  In  a review  of  the  abstracts  of 
over  600  articles  and  papers  available  through  the  Defense 
Logistics  Studies  Information  Exchange  (DLSIE)  on  the  broad 
subject  area  of  reliability  and  FMEA,  only  one  article  was 
found  which  addressed  the  basic  concepts  involved  in  formu- 
lating a FMEA.  Although  many  authors  refer  to  the  purpose 
and  potential  uses  of  FMEA,  their  orientation  is  toward  the 
design  engineer  and  little  emphasis  is  given  to  the  management 
aspects  of  the  process. 
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Blanchard  (3)  has  shown  some  of  the  ways  in  which  FMEA 
can  be  integrated  into  a management  program  through  its  use 
in  logistics  management.  He  mentions  that  FMEA  can  be  used 
to  gauge  the  supply  supportabi lity  and  maintai nabi J i ty  of  a 
system  and  that  FMEA  should  be  an  important  contributor  to 
the  maintenance  analysis.  Although  other  authors  imply  that 
it  can  be  used  in  these  areas,  few  state  how. 

Little  insight  is  gained  into  the  methods  and  procedures 
for  formulating  a FMEA.  A majority  of  authors  simply  state, 
in  a few  sentences,  the  informational  content  required  and 
show  a sample  FMEA  format  without  detailing  the  significance 
of  the  individual  entries  or  how  they  might  impact  upon  the 
management  of  the  program.  Arnzen  (4)  describes  the  make-up 
of  a FMEA  in  a logical  and  progressive  manner.  He  employs  a 
sample  system  to  show  the  relationship  of  the  system  block 
diagram  to  the  entries  in  the  FMEA  form  and  shows  how  im- 
provements to  the  design  can  be  itemized.  However,  the  arti- 
cle is  oriented  toward  the  design  engineer  and  only  briefly 
mentions  the  role  of  FMEA  in  a management  environment. 

The  scope  of  information  necessary  for  a meaningful  FMEA 
varies  from  author  to  author.  Juran  (5)  suggests  the  use  of 
an  analysis  which  categorizes  the  probability  of  a failure 
occurrence,  the  likelihood  of  damage  to  surrounding  elements, 
and  the  seriousness  of  the  failure  to  the  operation  of  the 
system.  In  addition,  he  recommends  that  the  analysis  should 
detail  such  items  as  the  effect  of  the  failure  upon  the  pro- 
ductivity of  the  system,  the  units  or  items  which  must  be 
removed  to  repair  the  failure,  the  special  tools  required  and 
an  estimate  of  the  time  required  to  repair  the  failure. 

Again,  the  emphasis  is  toward  the  design  engineer  with  little 
emphasis  placed  upon  the  management  aspects,  and  the  descrip- 
tion of  the  concepts  involved  is  cursory.  The  analysis  by 
Arnzen  (6)  is  much  more  refined  and  presents  information 
which  emphasizes  the  "vital  few"  concept.  Blanchard  (7) 
leaves  the  form  and  content  to  the  analyst,  explaining  the 
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requirements  in  general  terms  and  implying  that  the  FMEA 
should  be  oriented  toward  the  maintenance  and  logistics  as- 
pects of  the  system. 

The  ways  in  which  FMEA  is  actually  used  in  current  pro- 
grams is  limited  to  a discussion  of  its  primary  use  during 
design  reviews  and  again  the  orientation  is  toward  the  use  of 
FMEA  by  the  corporate  design  engineer.  In  order  to  circum- 
vent this  situation,  a number  of  interviews  were  held  with 
people  actively  involved  in  the  management  of  various  aspects 
of  defense  system  acquisition  for  the  Air  Force. 

B.  INTERVIEW  SYNOPSES 

The  initial  interview  for  this  study  was  held  on 
November  22,  1976  with  Mr.  W.  P.  Murden  and  Mr.  A.  S. 
Torgerson  of  the  Reliability  Division  of  the  McDonnell- 
Douglas  Aircraft  Corporation  in  St.  Louis,  Missouri.  (8) 

This  gave  the  viewpoint  of  a civilian  contractor  toward  FMEA. 
Mr.  Torgerson  reviewed  the  process  and  the  procedures  re- 
quired by  the  McDonnell-Douglas  regulations,  or  Standard 
Practices.  (9)  He  stated  that  the  analysis  is  conducted  by  a 
team  composed  of  a design  engineer  and  a reliability  engineer 
and  is  quite  extensive  in  scope.  Mr.  Murden  stated  that  the 
process  is  valuable  in  the  areas  of  reliability  and  logistics 
and  would  most  probably  be  accomplished,  to  some  extent,  even 
if  not  required  by  the  Air  Force.  Both  gentlemen  agreed  that 
the  FMEA  process  is  an  extensive  one  requiring  many  man-hours 
to  complete  and  could  possibly  be  simplified.  Since  FMEA  is 
accomplished  throughout  the  acquisition  effort  and  is  not 
specifically  itemized  in  the  contract,  no  information  was 
available  as  to  the  specific  costs  involved.  Also,  the  close 
relationship  between  FMEA  and  a definitive  design  of  the 
system  was  verified.  Generally,  the  involvement  of  FMEA  in 
the  operations  of  the  McDonnell-Douglas  Corporation  is  quite 
extensive.  Many  of  the  departments  involved  in  the  design 
effort  have  exposure  to  the  FMEA  and  make  use  of  it.  The 
significant  problem  seemed  to  be  with  the  various  subcontrac- 
tors in  that  many  are  not  familiar  with  the  FMEA  process  and 
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have  to  be  educated  on  it  by  McDonnell-Douglas  personnel.  As 
in  a majority  of  the  references  reviewed  by  this  study,  the 
emphasis  and  orientation  of  the  FMEA  still  remains  toward  the 
design  of  the  system.  Therefore,  it  became  necessary  to  con- 
duct more  interviews  to  determine  the  extent  of  its  use  by 
Air  Force  Program  Management. 

Captain  Francis  Stump,  of  the  Directorate  of  Engineering 
Services  of  the  Air  Force  Acquisition  Logistics  Division, 

Wr ight-Patterson  Air  Force  Base,  was  contacted  on  April  4, 
1977.  (10)  His  previous  involvement  with  the  National  Aero- 
nautics and  Space  Administration  (NASA)  and  his  current 
assignment  with  the  Air  Force  Logistics  Command  have  given 
him  extensive  knowledge  of  the  concepts  of  FMEA.  He  also 
served  on  numerous  occasions  as  a guest  lecturer  on  FMEA  to 
the  Air  Force  Institute  of  Technology  School  of  Systems  and 
Logistics  Management.  Essentially,  Captain  Stump  presented 
his  lectures  on  FMEA  (11)  (12)  which  introduced  the  basic 
concepts,  showed  the  applications  and  uses  of  FMEA,  defined 
the  terms  used  in  the  analysis,  and  showed  the  common  purpose 
of  the  several  approaches  which  are  taken.  Also,  he  thor- 
oughly outlined  the  formulation  of  a FMEA  through  the  analy- 
sis of  a sample  system.  Most  important,  however,  was  the 
emphasis  which  Captain  Stump  placed  on  the  need  for  the  in- 
creased involvement  of  FMEA  in  Air  Force  Program  Management 
and  the  need  for  documentation  on  FMEA  which  would  be  readily 
available  to  the  Program  Manager. 

An  interview  with  Major  James  Wessell  (13)  of  the  direc- 
torate of  Systems  Engineering  of  the  F-15  Joint  Engine  Pro- 
ject Office  (JEPO),  Wright-Patterson  Air  Force  Base,  on 
April  6,  1977,  established  the  fact  that,  in  this  particular 
program,  the  use  of  FMEA  in  the  later  stages  of  system  devel- 
opment is  minimal.  Also  in  the  F-15  Program,  the  FMEA  is  not 
required  to  be  delivered  to  the  Air  Force  by  the  contractor, 
McDonnell-Douglas,  and  is  retained  by  the  contractor  for 
evaluation  during  design  reviews.  Data  items  which  show  sig- 
nificant changes  to  the  FMEA  or  the  distribution  of  failures 
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were  also  not  required.  Major  Wessell  stated  that  the  sig- 
nificant use  of  the  FMEA  in  the  F-15  Program  was  in  the  area 
of  safety. 

Mr.  Charles  Dorney,  of  the  System  Safety  Office  of  the 
F-15  Joint  Engine  Project  Office,  was  also  interviewed  on 
April  6,  1977  (14)  because  of  his  knowledge  of  FMEA  and  his 
involvement  with  the  safety  aspects  of  the  F-15  acquisition 
effort.  Mr.  Dorney  related  that  the  FMEA  constituted  the 
major  source  for  the  Safety  and  Hazard  Analysis  conducted  on 
the  system.  This  analysis  is  essentially  a contractor  re- 
sponsibility and  that  although  the  form  may  vary  between  con- 
tractors the  content  is  the  same. 

Various  aspects  of  the  involvement  of  FMEA  in  the  F-16 
Aircraft  Program  were  covered  in  an  interview  on  April  7, 

1977  with  Lieutenant  Thomas  Landers,  Wright-Patterson  Air 
Force  Base,  (15),  of  the  Analysis  and  Integration  Branch  of 
the  F-16  Directorate  of  Systems  Engineering.  As  in  most 
other  programs,  the  Failure  Mode  and  Effect  Analysis  of  the 
F-16  aircraft  is  a contractor  responsibility  and  is  retained 
by  the  contractor,  Grumman  Aircraft  Engineering  Corporation, 
for  evaluation  during  design  reviews.  The  analysis  is  not 
used  by  Program  Management  to  any  significant  degree. 

Mr.  W.  0.  Detert,  of  the  Aeronautical  Systems  Division 
Reliability  and  Maintainability  Engineering  Branch,  in  an 
interview  on  April  7,  1977  (16)  verified  information  previ- 
ously obtained.  Generally,  FMEA  is  a contractor  responsi- 
bility and  is  not  normally  delivered  to  the  Air  Force  but  is 
retained  by  the  contractor  for  Air  Force  evaluation  during 
design  reviews.  FMEA  is  a required  Design  Review  Agenda  item 
and  is  evaluated  for  its  basic  content  and  for  the  occurrence 
of  mission  critical  failure  modes,  or  those  listed  in  this 
report  as  Category  III  and  IV  criticality  classifications. 
Also,  Mr.  Detert  stated  that  the  introduction  of  the  FMEA  into 
the  Program  Management  is  not  a common  practice.  In  addition, 
Mr.  Detert  stated  that  the  reliability  engineers  who  conduct 
the  evaluation  of  the  FMEA  during  design  reviews  are  either 


familiar  with  the  process  from  past  experience  or  become 
familiar  with  the  process  in  the  course  of  their  duties.  No 
formalized  training  is  conducted  on  FMEA . 

On  October  17,  1977,  interviews  were  conducted  at  the 
National  Aeronautics  and  Space  Administration  (NASA)  Lyndon 
11.  Johnson  Space  Center  (JSC)  in  Houston,  Texas.  The  indi- 
viduals interviewed  were:  Mr.  Henry  L.  Williams,  Chief, 
Vehicle  Reliability  Engineering  Branch,  (17)  and  Mr.  Marion 
E.  Merrell,  AST  Reliability  Engineer.  (18)  Primarily,  these 
interviews  were  for  the  purpose  of  drawing  a contrast  between 
the  FMEA  process  currently  used  by  NASA  in  the  Space  Shuttle 
Program  with  that  currently  used  by  the  Air  Force.  The  Space 
Shuttle  is  a development  which  may  change  the  nature  of  NASA 
operations.  Heretofore,  spacecraft  were  "one-shot"  equipment 
items  in  that  they  were  not  recovered  for  reuse.  The  Space 
Shuttle  represents  the  beginning  of  the  development  of  re- 
usable spacecraft  and  involves  new  problems  in  the  areas  of 
reliability  and  maintainability. 

One  of  the  most  significant  differences  found  between 
the  two  programs  is  that  the  FMEA  used  by  NASA  is  strictly 
qualitative  in  nature  as  opposed  to  the  quantitative  basis  of 
the  Air  Force  process.  Through  the  evolutionary  nature  of 
the  FMEA  development  at  NASA,  it  was  found  that  the  use  of 
numerics  was  not  beneficial  to  the  smooth  flow  of  the  deci- 
sion making  process.  Although  this  type  of  analysis  is  still 
somewhat  controversial,  the  contrast  between  these  two 
methods  does  substantiate  the  hypothesis  made  by  this  study 
that  the  use  of  a "middle  ground"  approach  is  feasible  and 
practical.  That  is,  the  FMEA  can  be  based  upon  numeric 
factors  which  are  tailored  to  the  particular  development 
without  an  overwhelming  reliance  upon  numerics  which  have 
become  standard  in  all  reliability  and  maintainability  analy- 
ses, such  as  mean  time  between  failures  ( MTBF ) , mean  time  to 
repair  (MTTR)  and  failure  rate  or  failure  probability. 

Another  significant  contrast  exists  in  the  area  of  docu- 
mentation. In  addition  to  the  major  directing  document  (19) 
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the  manager  which  has  charge  of  the  FMEA  has  a complete  desk 
instruction  (20)  which  details  the  FMEA  process.  This  desk 
instruction  is  updated  periodically  as  modifications  to  the 
FMEA  requirements  occur.  No  such  document  exists  for  the  Air 
Force  manager. 

Although  the  responsibility  for  accomplishing  the  FMEA 
still  rests  with  the  civilian  contractor,  NASA  requires  that 
the  entire  FMEA  be  delivered  to  the  NASA  manager,  who  per- 
forms periodic  reviews  of  the  document  and  is  responsible  for 
evaluating  the  impact  of  changes  through  the  use  of  the  FMEA. 
In  addition,  Mr.  Merrell  stated  that  the  availability  of  the 
complete  FMEA  expedites  the  design  review  process  and  gener- 
ally benefits  the  decision  making  process.  The  contractor  is 
required  to  provide  interim  updates  to  the  FMEA  as  design 
changes  occur.  The  complete  FMEA  is  also  distributed  to 
other  NASA  offices,  such  as  those  concerned  with  testing  and 
maintainability . 

The  depth  of  the  information  presented  in  these  inter- 
views is  far  too  extensive  for  this  report.  However,  it  is 
important  to  note  that  the  FMEA  process  used  by  NASA  is  evo- 
lutionary in  nature  in  that  it  has  been  improved  many  times 
by  using  the  results  of  previous  programs;  that  it  is  non- 
numeric in  structure  and  is  used  to  make  qualitative  manage- 
ment decisions;  has  definitized  management  control  by  requir- 
ing that  the  contractor  deliver  the  entire  analysis  and  pro- 
vide interim  updates;  has  widespread  use  in  many  areas  of  the 
system  development;  and  is  based  upon  well  documented  pro- 
cedures through  the  use  of  a basic  directive  and  a detailed 
supplement  in  the  form  of  a desk  instruction  for  the  manager. 
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III.  DISCUSSION,  PROCEDURES  AND  RESULTS 

The  following  is  a discussion  of  the  basic  elements  in- 
volved in  formulating  a Failure  Mode  and  Effect  Analysis. 
Through  the  use  of  a hypothetical  system,  the  generalized 
procedures  for  formulating  a FMEA  are  presented.  It  must  be 
emphasized  that  these  procedures  do  not  represent  those  used 
in  the  FMEA  for  any  specific  program,  but  are  the  procedures 
used  in  deriving  the  model  FMEA  in  Appendix  A.  Also  included 
in  the  following  sections  are  the  results  of  this  study  as  to 
the  use  of  each  aspect  of  the  FMEA  in  the  procurement  process. 

A.  FAILURE  MODES  AND  EFFECTS  ANALYSIS 

A system  operates,  or  fails  to  operate,  based  upon  the 
performance  of  certain  critical  components  or  subsystems. 

The  key  in  evaluating  the  ability  of  the  system  to  perform  a 
required  mission,  or  achieve  a desired  objective,  is  the 
identification  of  these  critical  areas.  Many  times,  the 
design  of  a system  is  so  complex  that  a simple  examination  is 
not  sufficient  for  this  identification  process.  The  Failure 
Mode  and  Effect  Analysis  is  a systematic  method  of  identify- 
ing and  classifying  these  critical  areas.  The  title  itself 
is  an  indication  of  the  nature  of  the  analysis. 

1.  Elements  of  the  FMEA.  The  failure  mode  is  the 
manner  in  which  the  component,  subsystem  or  system  has  failed. 
For  example,  a power  supply  may  fail  to  provide  the  required 
voltages  to  the  various  parts  of  the  system,  or  a compressor 
may  fail  to  provide  the  correct  hydraulic  pressure.  There 
are  four  basic  failure  modes:  premature  operation,  failure  to 
operate  at  a prescribed  time,  failure  to  cease  operation  at  a 
prescribed  time,  and  failure  during  operation.  (21)  (22) 
Virtually  every  type  of  failure  mode  can  be  classified  into 
one  or  more  of  these  general  categories.  These  general 
failure  mode  categories  are,  of  course,  too  broad  in  scope 
for  a definitive  analysis. 
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Table  I is  a list  of  the  specific  failure  modes.  These 
32  failure  modes  describe,  in  sufficiently  specific  terms, 
the  failure  of  any  component,  subsystem,  or  system.  When 
used  in  conjunction  with  the  four  basic  categories,  the  com- 
plete failure  mode  can  be  defined.  For  example,  the  power 
supply  previously  mentioned  may  have  a failure  mode  which 
falls  under  the  general  category  of  failure  during  operation 
and  a specific  failure  mode  of  loss  of  output.  The  compres- 
sor may  have  a general  failure  mode  of  failure  to  operate  at 
a prescribed  time  and  a specific  failure  mode  of  internal 
leakage . 

The  analysis  also  involves  a consideration  of  the  fail- 
ure cause,  or  that  situation  which  results  in  the  failure 
mode.  The  list  of  Table  I,  therefore,  performs  another 
purpose  in  also  defining  a list  versatile  enough  to  provide  a 
failure  cause.  Again  using  the  previous  examples,  the  power 
supply  has  a general  failure  mode  of  failure  during  operation, 
the  specific  failure  mode  of  loss  of  output,  and  a failure 
cause  of  the  category  OPEN  (ELECTRICAL).  The  compressor  has 
the  general  failure  mode  of  failure  to  operate  at  a pre- 
scribed time,  the  specific  failure  mode  of  internal  leakage, 
and  the  failure  cause  of  structural  failure  (rupture);  pos- 
sibly related  to  internal  valves. 

Again,  as  indicated  by  the  title,  it  is  necessary  to 
determine  the  effect  which  the  failure  mode  has  on  the  system, 
or  on  those  components  or  subsystems  directly  related  to  the 
failed  item.  Again  referring  to  Table  I,  it  is  possible  to 
see  that  the  failure  effect  which  is  the  result  of  a failure 
mode  of  one  unit  may  indicate  the  failure  mode  of  the  next 
item  in  a subsystem.  For  example,  the  loss  of  the  output  of 
the  hypothetical  power  supply  may  have  the  effect  of  the  in- 
ability of  certain  items  to  function.  Correspondingly,  these 
units  would  have  a failure  cause  of  'loss  of  input'  and  the 
effect  on  the  system  may  be  a failure  mode  of  'fails  to 
start'.  Clearly,  this  somewhat  precludes  the  effectiveness 
of  the  analysis  because  it  does  not  make  readily  apparent  the 
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TABLE  I 
FAILURE  MODES 

1.  STRUCTURAL  FAILURE  (RUPTURE) 

2.  PHYSICAL  BINDING  OR  JAMMING 

3.  VIBRATION 

4.  FAILS  TO  REMAIN  (IN  POSITION) 

5.  FAILS  TO  OPEN 

6.  FAILS  TO  CLOSE 

7.  FAILS  OPEN 

8.  FAILS  CLOSED 

9.  INTERNAL  LEAKAGE 

10.  EXTERNAL  LEAKAGE 

11.  FAILS  OUT  OF  TOLERANCE  (HIGH) 

12.  FAILS  OUT  OF  TOLERANCE  (LOW) 

13.  INADVERT ANT  OPERATION 

14.  INTERMITTENT  OPERATION 

15.  ERRATIC  OPERATION 

16.  ERRONEOUS  INDICATION 

17.  RESTRICTED  FLOW 

18.  FALSE  ACTUATION 

19.  FAILS  TO  STOP 

20.  FAILS  TO  START 

21.  FAILS  TO  SWITCH 

22.  PREMATURE  OPERATION 

23.  DELAYED  OPERATION 

24.  ERRONEOUS  INPUT  (INCREASED) 

25.  ERRONEOUS  INPUT  (DECREASED) 

26.  ERRONEOUS  OUTPUT  (INCREASED) 

27.  ERRONEOUS  OUTPUT  (DECREASED) 

28.  LOSS  OF  INPUT 

29.  LOSS  OF  OUTPUT 

30.  SHORTED  (ELECTRICAL) 

31.  OPEN  (ELECTRICAL) 

32.  LEAKAGE  (ELECTRICAL) 
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seriousness  of  any  one  particular  failure  mode.  Therefore, 
each  failure  effect  is  classified  by  its  criticality  to  the 
over-all  system  performance.  This  criticality  classification 
is  as  follows: 

CLASS  IV:  ’CATASTROPHIC.'  Any  single  failure  which 
could  potentially  cause  the  complete  loss  of  the  system,  or 
cause  injury  to  operational  or  other  personnel. 

CLASS  III:  'CRITICAL.'  Any  failure  which  could  poten- 
tially degrade  the  specified  performance  of  the  system  to  a 
point  causing  complete  loss  of  the  system  without  damage  or 
danger  to  personnel;  a condition  which  although  enabling  the 
system  to  function  could  potentially  become  more  serious,  or 
a hazardous  condition  which  is  reparable  during  operation. 

CLASS  II:  ' NON-CRITICAL. ' Any  failure  which  degrades 
the  performance  of  the  system  to  a point  which  could  poten- 
tially prevent  the  accomplishment  of  a specified  function 
without  the  loss  of  associated  equipment  and  without  danger 
to  any  personnel,  but  not  to  a point  which  causes  the  com- 
plete loss  of  the  system. 

CLASS  I:  'MINOR.'  Any  failure  which  does  not  degrade 
the  performance  of  the  system,  or  any  type  of  failure  requir- 
ing corrective  action  other  than  those  of  Class  II,  III,  or 
IV. 

It  is  important  that  the  analyst  use  sound  judgement  in 
applying  these  criticality  classifications  shown  in  Table  II. 
Any  process  which  involves  a judgement  concerning  the  danger 
of  human  life  naturally  breeds  a tendency  to  extend  that 
judgement  to  compensate  for  all  factors  for  the  sake  of 
safety;  often  to  an  illogical  or  extreme  extent.  Therefore, 
the  extensive  use  of  a Category  IV  classification  just  "to 
play  it  safe"  would  be  inappropriate  and  would  degrade  the 
validity  of  the  FMEA.  The  use  of  a Category  I classification 
for  the  expediency  of  avoiding  problems  would  also  be  un- 
justified. All  factors  must  be  taken  into  account  in  the 
application  of  these  classifications  because  of  their  impact 
upon  the  evaluation  of  the  success  of  the  system  development 
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TABLE  II 

CRITICALITY  CLASSIFICATIONS 


CLASS 

IV  CATASTROPHIC  Any  single  failure  which  could 

potentially  cause  the  complete 
loss  of  the  system,  or  cause 
death  or  injury  to  personnel. 

Ill  CRITICAL  Any  failure  which  could  potentially 

cause  any  of  the  following: 

1.  The  function  or  mission  of  the 
system  to  be  aborted  without  loss 
of  equipment  or  endangering  per- 
sonnel . 

2.  A condition  which  although 
enabling  the  system  to  function, 
could  become  more  serious. 

3.  A hazardous  condition  which 
is  reparable  during  system 
operation . 

II  NON-CRITICAL  Any  failure  which  degrades- the 

performance  of  the  system  and 
results  in  the  function  or  mission 
being  aborted  or  the  loss  of  any 
automatic  control  capabilities. 

I MINOR  Any  failure  which  does  not  degrade 

the  performance  of  the  system,  any 
type  of  failure  other  than  those  of 
Class  I,  II,  or  III,  which  requires 
corrective  action. 
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with  respect  to  the  constraints  of  cost,  performance  and 
schedule . 

2.  A Hypothetical  System.  The  value  of  the  FMEA  lies 
in  its  systematic  approach,  and  by  using  the  preceeding  defi- 
nitions it  is  possible  to  establish  a sequence  of  events  for 
the  development  of  a FMEA,  as  shown  in  Table  III.  This 
sequence  is  presented  here  through  the  analysis  of  a hypo- 
thetical system.  First,  the  system  being  analyzed  must  be 
fully  identified  as  to  its  nomenclature,  function  and  composi- 
tion including  a description  of  the  associated  subsystems. 

In  addition,  it  is  necessary  to  identify  those  associated 
subsystems  which  are  to  be  excluded  from  the  analysis.  For 
our  purposes,  we  shall  identify  the  system  being  analyzed  as 
a high  pressure  air  compressor  which  will,  hypothetically,  be 
used  to  supply  all  the  high  pressure  air  for  a varied  number 
of  operations.  This  system  is  a modification  of  that  pre- 
sented by  Stump  (23)  in  that  it  incorporates  a more  compre- 
hensive indenture  level  identification  scheme.  The  compres- 
sor will  be  an  electric  motor  driven  two  cylinder,  four  stage 
piston  type  with  closed,  or  recirculating,  water  cooling  and 
self-contained  lubrication.  Excluded  from  the  analysis  will 
be  the  power  controller  and  the  high  pressure  storage  tank. 
Figure  1 shows  the  block  diagram  for  this  system,  which 
breaks  the  system  into  its  functional  areas,  such  as  motor 
and  compressor,  and  clearly  shows  the  inputs  and  outputs  of 
each  functional  area.  Therefore,  it  can  be  easily  seen  that 
the  motor  supplies  torque  of  4610  revolutions  per  minute 
(rpm)  to  the  compressor,  the  cooling  and  moisture  separation, 
and  lubrication  stages  and  that  the  compressor  supplies  out- 
puts of  high  pressure  air  and  of  pressure  and  temperature 
signals  to  the  instrument  and  monitor  stage.  Although  not 
included  in  the  analysis,  the  relationship  of  the  electrical 
control  stage  to  the  over-all  system  is  also  shown. 

Each  of  the  major  functional  areas  may  also  consist  of 
functional  sub-areas,  and  in  a complex  system  this  chain  of 
interrelationships  may  be  quite  complex.  Therefore,  the  next 
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TABLE  III 
THE  STEPS  OF  A 

FAILURE  MODES  AND  EFFECTS  ANALYSIS 

1.  COMPLETELY  IDENTIFY  THE  SYSTEM  BEING  ANALYZED 

2.  BREAK  DOWN  THE  SYSTEM  INTO  A FUNCTIONAL  BLOCK 
DIAGRAM 

3.  ESTABLISH  INDENTURE  LEVEL  IDENTIFICATION 

4.  DETERMINE  THE  FAILURE  MODE(S) 

5.  DETERMINE  THE  FAILURE  CAUSE(S) 

6.  ANALYZE  THE  SYMPTOMS  AND  THE  METHODS  OF  DETECTION 

7.  DETERMINE  THE  EFFECT  OF  THE  FA I LURE ( S ) 

8.  DETERMINE  THE  COMPENSATING  PROVISIONS 

9.  DETERMINE  THE  CRITICALITY  FACTOR 

10.  EVALUATE  THE  FAILURE  PROBABILITY 

11.  REMARKS  AND  RECOMMENDATIONS 
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step  of  the  analysis  is  to  establish  some  means  for  the  iden- 
tification of  the  level  of  these  relationships,  or  the  inden- 
ture level.  The  first  indenture  level  is  that  of  the  com- 
plete compressor  system  and  will  be  indicated  by  'O'.  The 
second  level  is  that  of  the  major  functional  areas,  instru- 
mentation and  monitors,  compressor,  motor,  lubrication,  and 
cooling  and  moisture  separation,  and  these  will  be  numbered, 
respectively,  0.1,  0.2,  0.3,  0.4,  0.5,  as  shown  in  Figure  1. 
The  third  indenture  level  consists  of  those  subsystems  which 
comprise  each  of  these  major  areas.  The  breakdown  for  the 
instrumentation  and  monitor  stage  is  shown  in  Figure  2.  Each 
of  the  subsidiary  block  diagrams  follow  the  same  concept  in 
that  they  must  completely  identify  the  subsystem  function, 
show  the  input  and  output  relationships,  and  be  clearly 
associated  with  the  next  higher  level  diagram.  This  system 
can  be  easily  extended  to  the  full  depth  of  any  system,  as 
shown  in  Figure  3 which  illustrates  the  breakdown  of  the 
temperature  monitor  subsystem  numbered  0.1.4  in  Figure  2.  A 
unit  designated  by  0.1. 4. 1.4  can  be  readily  identified,  in  a 
top-down  analysis,  as  belonging  to  the  major  system  0. , or 
the  compressor  system,  major  functional  area  0.1,  or  the  in- 
strumentation and  monitor  stage,  subsystem  0.1.4,  or  the 
temperature  monitor,  subunit  0. 1.4.1,  or  the  temperature 
sensor  for  the  air  inlet,  and  finally  to  unit  0.1.4. 1.4,  or 
the  fourth  stage  air  inlet  temperature  sensor.  In  addition, 
this  indenture  system  allows  each  input  or  output  signal  or 
function  to  be  precisely  designated.  The  signals  for  each 
individual  unit  can  be  numbered  consecutively  and  entered  as 
a dashed  number  in  the  indenture  level  number.  For  example, 
the  oil  temperature  signal  shown  in  Figure  2 would  be  desig- 
nated as  0.1. 4-3,  indicating  that  it  is  signal  number  three 
for  unit  0.1.4.  Although  the  system  arrangement  as  shown  in 
Figure  4 seems  somewhat  complicated,  in  practice  it  is  quite 
simple  to  master  and  affords  the  analyst  a brief  and  precise 
method  of  itemizing  and  accounting  for  each  unit  and  signal 
within  a complex  system. 
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Figure  2.  Instrumentation  and  Monitors 
Third  Indenture  Level 
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Figure  3.  Temperature  Monitor 

Fourth  Indenture  Level 


Figure  4.  System  Functional  Block  Diagram 
Signal  Identification 
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3.  The  FMEA  Form.  The  formulation  of  these  system 
block  diagrams  constitutes  one  aspect  of  the  construction  of 
a system  failure  model.  Another  important  facet  of  this 
initial  stage  in  the  building  of  a system  failure  model  is 
the  introduction  of  a method  for  systematically  tabulating 
the  results  of  the  analysis  through  the  use  of  a specified 
format.  This  FMEA  form  should  be  structured  so  that  data  can 
be  easily  entered  and  quickly  read  and  should  not  contain 
irrelevant  information.  The  value  of  the  FMEA  lies  in  its 
flexibility  and  its  logical  structure  and  too  much  data  can 
negate  this  value  just  as  can  the  lack  of  data.  In  addition, 
the  FMEA  form  should  be  closely  tied  to  the  information  pre- 
sented in  the  system  block  diagrams  previously  described. 
Together,  these  items  constitute  the  basic  requirements  of 
the  analysis.  When  separated  from  the  FMEA  form,  the  block 
diagram  does  describe  the  structure  of  the  system,  but  when 
united  with  the  FMEA  form  its  value  is  substantially  in- 
creased. When  separated  from  the  block  diagram,  the  FMEA 
does  essentially  describe  the  failure  model  of  the  system, 
but  the  interrelationships  involved  are  readily  apparent  when 
it  is  used  in  conjunction  with  the  system  block  diagrams. 

The  actual  format  of  the  FMEA  form  should  be  left  to  the  dis- 
cretion of  the  analyst  and  tailored  to  the  requirements  of 
the  customer.  A review  of  the  sources  available  to  this 
study  has  resulted  in  the  following  comprehensive  list  of 
data  items  which  should,  as  a minimum,  be  contained  in  the 
FMEA: 

1.  Item  Description  and  Specification 

2.  Failure  Mode 

3.  Failure  Cause 

4.  Symptoms  and  Detectability 

5.  Failure  Effect 

6.  Compensating  Provisions 

7.  Failure  Probability 

8.  Remarks  and  Recommendations 

9.  Criticality  Classification 
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A significant  amount  of  the  succeeding  discussion  will, 
therefore,  deal  with  the  formulation  of  this  FMEA  form  and 
the  contribution  made  by  each  portion  to  the  overall  system 
failure  model.  The  Failure  Mode  and  Effect  Analysis  for  the 
hypothetical  high  pressure  air  system  is  contained  in 
Appendix  A.  The  basic  objective  of  this  FMEA  is  to  provide 
a working  model  which  shows  the  relationship  of  the  FMEA  form 
to  the  system  block  diagrams,  and  provides  examples  of  the 
procedures  outlined  in  succeeding  sections. 

a.  Failure  Mode.  Once  the  operational  structure  of  the 
system  has  been  described,  it  is  possible  to  describe  the 
system  in  terms  of  its  failure.  Utilizing  the  block  diagram 
of  Figure  1 and  the  list  of  failure  modes  in  Table  I,  the 
system  can  be  modeled  in  terms  of  its  possible  failure  modes. 
This  assignment  of  failure  modes  requires  the  analyst  to 
apply  a judgement  based  upon  the  stated  requirements  con- 
tained in  the  equipment  specifications.  The  failure  mode 
which  is  the  result  of  this  postulation  is  that  which  causes 
a deviation  from  the  specified  output  function  requirements. 
It  must  be  emphasized  that  the  analyst  is  not  determining,  at 
this  point  in  the  FMEA  process,  how  well  the  subsystem  under 
consideration  meets  the  specifications,  or  attempting  to 
determine  which  of  the  specifications  are  most  likely  not  to 
be  met.  This  is  because  the  FMEA  process  is  initiated  after 
the  basic  assumption  that  the  subsystem  being  considered  has 
somehow  failed.  The  judgement  area  for  the  analyst  is  in 
making  a correlation  between  the  specification  and  the 
failure  mode.  This  assignment  of  failure  modes  proceeds 
through  each  indenture  level,  and  the  subsystems  of  which 
they  are  comprised.  Essentially,  this  process  of  failure 
mode  identification  comprises  the  first  stage  of  construction 
of  the  failure  model  of  the  entire  system. 

The  high  pressure  air  compressor  system  of  Figure  1 has 
a specified  output  requirement  of  high  pressure  air  at  3550 
pounds-per-square-inch  (psi),  at  a temperature  of  385  to  415 
degrees  Fahrenheit,  and  at  a rate  of  14.5  cubic-feet-per-hour 
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(cfh).  Clearly,  one  failure  mode  for  this  first  indenture 
level,  or  the  level  annotating  the  entire  system,  which  must 
be  analyzed  is  the  complete  loss  of  this  required  output. 

The  specifications  of  pressure,  temperature  and  rate  of  air- 
flow for  this  system  also  constitute  failure  areas  which  must 
be  analyzed. 

The  Failure  Mode  and  Effect  Analysis  for  the  hypotheti- 
cal high  pressure  air  system  is  shown  in  Appendix  A.  Gener- 
ally, the  assignment  of  failure  modes  to  the  individual  sub- 
systems is  accomplished  by  examining  the  outputs  of  these 
subsystems.  Therefore,  the  entries  under  the  FAILURE  MODE-- 
DESCRIPTION  column  pertain  to  the  outputs  of  the  subsystems 
listed  in  the  OUTPUT  SPECIFICATION  column.  The  entries  under 
the  FAILURE  MODE — REF  column  refer  to  the  indenture  level 
numbers  and  signal  designators  shown  in  the  system  block 
diagram.  This  hypothetical  system  has  been  analyzed  at  the 
"black  box"  level,  or  that  level  of  analysis  which  considers 
the  inputs  and  outputs  of  the  subsystem  without  regard  to  the 
individual  units  or  components  which  comprise  the  subsystem. 
If  more  detail  were  required  in  the  analysis,  the  subsystems 
could  be  broken  down  into  their  associated  units  and  then 
into  the  individual  components.  Regardless  of  the  depth  re- 
quired, the  analysis  follows  the  same  general  guideline  of 
determining  the  failure  mode  through  an  examination  of  the 
outputs . 

b.  Failure  Cause.  As  each  failure  mode  is  determined, 
the  analysis  proceeds  to  a consideration  of  the  cause  of  that 
particular  failure.  In  the  analysis  for  the  compressor, 
designated  by  reference  number  0.2,  the  failure  mode  of  LOSS 
OF  OUTPUT  has  an  associated  failure  cause  of  LOSS  OF  INPUT. 
Clearly,  the  failure  cause  which  has  been  used  can  only  be  as 
specific  as  the  indenture  level  will  allow.  The  analyst  must 
be  cautious  to  curtail  the  tendency  to  carry  the  analysis  to 
a depth  greater  than  that  necessary  for  the  immediate  task. 

It  would  be  inappropriate  to  list  a failure  cause  for  the 
second  indenture  level  analysis  which  specifies  a unit  or 
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component  in  the  fourth  indenture  level.  For  example,  in  the 
previously  mentioned  case,  it  would  be  an  incorrect  expansion 
of  the  scope  of  the  analysis  to  relate  the  failure  cause  of 
LOSS  OF  INPUT  to  a bearing  in  the  motor,  since  the  bearing  is 
not  shown  in  the  second  level  indenture  diagram.  What  is 
shown,  however,  is  the  torque  input  from  the  motor  and  this 
input  is  related  to  the  failure  cause.  Through  this  system- 
atic approach,  the  analyst  can  assure  a one-for-one  corre- 
spondence to  the  analysis  and  the  system  structure  as 
detailed  in  the  block  diagram. 

As  previously  mentioned,  the  list  of  failure  modes 
listed  in  Table  I also  constitutes  a convenient  source  of 
possible  failure  causes.  This  is  generally  true  since  the 
output  of  one  unit,  analyzed  by  the  assignment  of  a failure 
mode,  often  is  the  input  to  a succeeding  unit,  which  is  ana- 
lyzed by  the  assignment  of  a failure  cause.  The  actual 
manner  in  which  the  failure  cause,  or  any  other  entry,  is 
described  should,  of  course,  be  a factor  left  to  the  judge- 
ment of  the  analyst.  However,  the  analyst  should  follow  the 
guideline  of  assuring  that  the  entries  are  brief,  concise, 
and  most  especially,  clear.  The  analysis  contained  in 
Appendix  A will,  for  a majority  of  entries,  use  the  failure 
modes  of  Table  I for  continuity  and  to  provide  a standard 
base  of  information. 

Generally,  therefore,  the  assignment  of  possible  failure 
causes  involves  a consideration  of,  and  a direct  relationship 
to,  the  inputs  of  the  item  being  analyzed.  The  failure  cause 
entry,  in  conjunction  with  the  failure  mode  entry,  describes 
the  input-output  relationship  pertinent  to  the  item  being 
analyzed.  The  collection  of  these  entries  over  the  entire 
scope  of  the  entire  Failure  Modes  and  Effects  Analysis  then 
describes  the  input-output  relationships  for  the  entire 
system  over  a wide  range  of  specific  and  possible  occurrences. 

c.  Symptoms  and  Detectability.  The  function  of  the 
SYMPTOMS-DETECT ABILITY  portion  of  the  FMEA  is  to  delineate 
those  occurrences  which  might  indicate  a failure  cause.  This 
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allows  the  analyst  to  indicate  the  natural  effects  related 
to  a failure  cause  and  the  system  design  features  which  have 
been  included  to  indicate  the  failure  cause.  For  example, 
one  of  the  natural  effects  resulting  from  the  failure  cause 
of  vibration  is  noise.  Therefore,  the  analyst  can  indicate 
this  as  a symptom  of  vibration,  as  has  been  done  with  the 
motor  of  the  analysis  in  Appendix  A.  Also,  this  system  has 
the  design  feature  of  system  read-outs  to  indicate  the  physi- 
cal conditions,  such  as  temperature  and  pressure,  which  are 
related  to  the  system  performance.  These  system  read-outs, 
therefore,  indicate  symptoms  of  failure  causes  and  enable 
them  to  be  detected. 

This  section  of  the  analysis  can  also  indicate  areas  of 
design  deficiencies  by  indicating  failure  causes  which  may 
not  be  easily  detectable.  For  example,  if  the  motor  of  the 
compressor  system  stops  running,  this  is  a symptom  of  a 
failure.  However,  if  the  system  were  located  in  normally 
noisy  surroundings,  where  no  one  could  hear  the  motor  stop, 
or  if  the  operator  for  some  other  reason  was  not  aware  that 
the  motor  had  stopped,  then  this  symptom  would  go  unheeded. 
Employing  this  information  the  analyst  could  then  conclude 
that  it  might  be  necessary  to  include  some  means  of  monitor- 
ing the  motor  revolutions  in  the  design. 

The  symptoms  associated  with  a failure  cause,  and  the 
ability  to  detect  them,  have  an  important  influence  on  other 
aspects  of  any  development.  Those  failure  modes  which  have 
effects  involving  human  safety  must  be  easily  and  quickly 
detectable.  This  section  can  provide  the  safety  engineer 
with  valuable  data  on  the  detectability  of  a possible  hazard- 
ous condition.  The  accomplishment  of  the  task  for  which  the 
system  was  designed  can  also  be  influenced.  Clearly,  if  a 
relatively  minor  failure  cause  goes  undetected,  it  has  the 
potential  of  eventually  causing  the  complete  loss  of  the 
system.  Therefore,  the  symptoms  of  these  types  of  failures 
should  be  detectable.  The  FMEA  provides  this  information. 
Finally,  the  maintainability  of  the  system  is  influenced 
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because  the  SYMPTOMS-DETECT ABILITY  portion  of  the  analysis 
allows  the  analyst  to  provide  information  needed  for  mainte- 
nance instructions. 

d.  Failure  Effect.  The  failure  effect  is  simply  the 
total  effect  on  the  system  of  a particular  failure  mode.  As 
previously  mentioned,  the  failure  mode  should  be  considered 
in  relation  to  the  particular  indenture  level  being  analyzed. 
Th* - failure  effect,  however,  may  be  related  to  higher  inden- 
ture levels.  For  example,  a resistor  in  a power  supply  may 
have  a failure  mode  of  the  category  SHORTED  (ELECTRICAL)  and 
have  the  failure  effect  of  causing  the  loss  of  an  output 
transistor.  This  all  takes  place  on  the  same  indenture 
level — that  of  the  resistor.  In  contrast,  the  transistor 
failure  may  have  the  failure  effect  of  causing  the  loss  of 
the  power  supply  output,  which  is  on  a higher  indenture 
level.  Any  failure  effect  which  individually  and  directly 
causes  the  complete  loss  of  the  system  is  known  as  a single 
point  failure  and  is  considered  as  a catastrophic  failure. 

The  failure  effect,  therefore,  can  exist  on  two  levels: 
the  local  level  and  the  system  level.  The  local  level  in- 
volves the  indenture  level  of  the  unit  being  analyzed  and, 
perhaps,  the  next  higher  level.  The  system  level  involves 
the  consideration  of  that  particular  failure  effect  on  the 
over-all  system  performance. 

e.  Compensating  Provisions.  This  section  is  related  to 
the  failure  effect  in  much  the  same  way  that  the  symptoms 
section  related  to  the  failure  cause.  The  compensating  pro- 
visions are  those  design  features  of  the  system  which  have 
been  included  to  inhibit  or  prevent  the  influence  of  a 
specific  failure  effect.  For  example,  if  a system  has  been 
designed  so  that  the  failure  of  a unit  automatically  switches 
in  another  identical  unit  to  take  its  place,  then  this  redun- 
dancy feature  is  a compensating  provision.  A system  could 
also  include  the  compensating  provision  of  alternate  modes  of 
operation,  such  as  switching  from  an  automatic  mode  to  a 
manually  controlled  mode  of  operation.  This  part  of  the 
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analysis  should  also  consider  those  safety  devices  which  have 
been  included  in  the  system.  Smoke  detectors,  automatic  fire 
extinguishers,  electrical  shock  prevention  devices  and 
failure  alarms  are  just  a few. 

As  with  the  other  sections  of  the  analysis,  this  section 
can  also  provide  the  analyst  with  information  which  points 
out  design  deficiencies. 

f.  Failure  Probability.  The  failure  probability  is  a 
measure  of  the  likelihood  of  failure  of  the  item  under  con- 
sideration. At  present,  this  information  is  obtained  direct- 
ly from  the  reliability  analysis,  performed  on  the  system  in 
parallel  to  the  FMEA,  or  can  be  derived  from  the  information 
in  the  reliability  analysis  through  the  following  relation- 
ship : 

FAILURE  PROBABILITY  = 1 - RELIABILITY  ESTIMATION 
When  used  in  the  FMEA,  in  conjunction  with  the  criticality 
classification,  it  is  possible  to  determine  the  probability 
of  occurrence  of  a particular  failure  mode  and  its  relative 
seriousness . 

A detailed  explanation  of  the  basic  concepts  used  in  the 
reliability  analysis  is  beyond  the  scope  of  this  report. 
However,  it  must  be  emphasized  that  the  reliability  analysis 
is  fundamentally  probabilistic  in  nature.  A 'bottom-up' 
analysis  begins  at  the  lowest  indenture  level  of  the  system, 
involving  individual  components,  and  uses  the  reliability 
determinations  at  this  level  to  establish  the  reliability 
calculations  for  the  next  higher  level.  This  process  pro- 
ceeds up  through  the  hierarchical  structure  of  the  system 
until  reaching  the  highest  indenture  level,  or  that  of  the 
over-all  system.  A 'top-down'  analysis  begins  at  the  highest 
indenture  level  and  proceeds  to  the  lowest.  Regardless  of 
the  direction  of  the  analysis,  the  end  result  is  to  assure 
that  the  design  meets  the  requirement  of  the  specified  system 
reliability.  In  order  to  accomplish  this  task,  the  technique 
of  reliability  apportionment  is  also  used. 


30 


Reliability  apportionment  is  a 'top-down'  process  of 
subdividing  a specified  system  reliability  among  the  major 
subsystems.  Each  of  these  allocations  are  further  subdivided 
among  the  units  which  comprise  the  major  subsystems.  This 
process  establishes  a set  of  design  goals  for  each  component, 
unit,  and  subsystem,  and  when  taken  together  result  in  the 
satisfaction  of  the  specified  reliability  requirement. 

In  assessing  the  failure  probability,  the  FMEA  analyst 
should  be  aware  of  the  fact  that  the  reliability  analysis  is 
an  estimation.  Regardless  of  the  highly  developed  state-of- 
the-art,  the  probabilistic  nature  of  the  reliability  analysis 
must  be  realized. 

The  analysis  of  the  hypothetical  compressor  system 
employs  a stratification  technique,  which  is  more  fully  ex- 
plained in  later  sections.  This  somewhat  changes  the  typical 
form  of  the  FMEA  because  the  FAILURE  PROBABILITY  becomes  the 
FAILURE  PROBABILITY  RANGE.  However,  the  basic  intent  of  the 
information  is  the  same.  Regardless  of  the  technique  used 
for  this  information,  the  analyst  must  assure  that  accurate 
and  meaningful  data  is  presented.  Approximations  are  rele- 
vant only  when  the  person  reading  and  using  the  FMEA  realizes 
that  they  are  approximations. 

g.  Remarks  and  Recommendations.  This  portion  of  the 
form  is  clearly  self-explanatory.  It  is  the  area  of  the  form 
set  aside  for  the  analyst  to  provide  comments.  Brevity  and 
conciseness  are,  of  course,  necessary. 

h.  Criticality  Classification.  This  portion  of  the 
form  follows  the  definitions  outlined  in  Table  II.  As  pre- 
viously stated,  the  criticality  classification,  when  used 
with  the  FAILURE  PROBABILITY  RANGE,  can  provide  the  analyst 
information  on  the  probability  of  occurrence  of  a particular 
failure  mode  and  its  relative  seriousness. 

B.  FMEA  AND  THE  PROGRAM  MANAGER 

The  Department  of  Defense  employs  a structured  process 
for  the  acquisition  of  defense  and  space  systems.  This 
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acquisition  process  is  cyclical  in  nature  and  is  intended  to 
present  a systematic  approach  for  the  determination  of 
specific  defense  objectives,  the  establishment  of  the  manage- 
ment programs  required,  and  the  timely  and  efficient  manage- 
ment of  the  research  and  development  efforts  required  to 
accomplish  these  objectives.  Also  involved  in  this  cycle  is 
an  iterative  evaluation  process  which  is  intended  to  preclude 
the  occurrence  of  commitments  for  the  development  and  produc- 
tion of  systems  which  may  have  been  premature  with  respect  to 
the  full  verification  of  these  needs  and  goals.  It  is  not 
within  the  scope  of  this  report  to  present  a detailed  analy- 
sis of  this  procurement  cycle.  However,  in  order  to  analyze 
the  role  of  Failure  Mode  and  Effect  Analysis  in  Air  Force 
Program  Management,  it  is  necessary  to  briefly  explore  it  in 
order  to  show  the  relationship  of  the  Program  Manager  to  the 
acquisition  cycle. 

1.  The  Acquisition  Cycle.  The  acquisition  cycle,  as 
defined  by  current  Department  of  Defense  Directives  (24)  (25) 
consists  of  four  major  milestones,  as  designated  by  the 
outermost  corner  blocks  in  Figure  5.  The  inner  area  of 
Figure  5 indicates  the  name  given  to  each  milestone  which  is 
also  the  general  classification  for  the  events  which  occur 
from  milestone  to  milestone.  The  other  areas  of  Figure  5 
indicate  the  general  objectives  and  specific  management  con- 
siderations, respectively,  which  must  be  accomplished  between 
milestones.  The  dividing  line  which  occurs  at  each  milestone 
represents  a transition  which  consists  of  an  evaluation  of 
the  need  of  the  system  being  acquired  with  respect  to  the 
defense  objectives  to  be  accomplished.  It  is  at  this  transi- 
tion where  the  Program  Manager  must  decide  to  either  continue 
with  the  procurement  effort  and  proceed  with  the  actions 
leading  to  the  next  milestone,  hold  the  cycle  in  abeyance  and 
evaluate  other  alternatives,  or  to  halt  the  cycle  and  recom- 
mend cancellation  of  the  program.  Just  as  each  phase  con- 
sumes more  area  as  it  moves  from  the  center  to  the  outer 
boundaries  of  the  diagram,  so  the  acquisition  cycle  as  a 
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Figure  5. 


Acquisition  Cycle 
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whole  consumes  resources  as  it  proceeds.  Consequently,  the 
Program  Manager  must  be  sure  that  each  effort  involved  in  the 
acquisition  cycle  is  valid  and  cost  effective. 

a.  Milestone  0--Program  Initiation.  The  acquisition 
cycle  begins  at  Milestone  0.  Prior  to  this  decision  point, 
actions  have  been  taken  which  have  resulted  in  the  approval 
by  the  Secretary  of  Defense  of  the  validity  of  the  defense 
objective,  or  mission  need.  Certain  key  actions  must  take 
place  during  this  phase  of  the  cycle  before  the  decision 
point  of  Milestone  I can  be  reached. 

Once  the  program  has  been  approved  and  the  cycle  has 
begun,  a Program  Manager  is  assigned.  The  Program  Manager  is 
responsible  for  the  establishment  of  a System  Program  Office 
(SPO)  and  the  development  of  a sound  acquisition  strategy,  or 
a plan  for  the  effective  management  of  the  acquisition  cycle. 

A major  emphasis  of  this  phase  is  the  competitive  ex- 
ploration by  industry  and  designated  research  groups  of  the 
alternatives  available  in  order  to  avoid  the  possibility  of 
expending  funds  on  unrealistic  goals  or  those  which  are 
minimally  cost  effective.  In  addition,  preliminary  and 
formulative  efforts  are  made  for  future  logistics  planning. 
This  area  of  planning  includes  such  topics  as  reliability, 
maintainability  and  supply  supportability . Under  current 
directives,  FMEA  is  included  in  the  reliability  planning. 

b.  Milestone  I--Demonstration  and  Validation.  Before 
the  cycle  can  transition  from  the  Program  Initiation  Phase 

to  the  Demonstration  and  Validation  Phase,  the  decision  point 
of  Milestone  I must  be  passed.  This  requires  that  the  orig- 
inal need  be  reaffirmed  and  that  all  activities  of  the  Pro- 
gram Initiation  Phase  have  been  satisfactorily  accomplished. 
During  this  Demonstration  and  Validation  Phase,  the  feasi- 
bility and  effectiveness  of  the  alternatives  in  meeting  the 
mission  need  must  be  demonstrated  and  proven.  The  Program 
Manager  must  establish  the  management  constraints  for  each 
alternative  and  assess  the  problems  and  issues  of  the  recom- 
mended actions.  In  addition,  the  Program  Manager  must 
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establish  projections  for  the  management  parameters  involved 
in  cost,  performance  and  scheduling.  Demonstration  and  val- 
idation test  and  evaluation  data  must  also  include  the  capa- 
bility of  each  alternative  to  meet  the  logistics  requirements 
of  reliability,  maintainability  and  supportabil ity . 

c . Milestone  II — Full-Scale  Engineering  Development. 

The  initial  management  action  taken  during  this  phase  is  a 
reaffirmation  of  the  original  need  and  an  evaluation  of  the 
defense  objective,  or  mission,  to  be  accomplished.  Then,  a 
specific  alternative  is  selected  for  full-scale  engineering 
development  based  on  the  results  of  the  demonstration  and 
validation  test  and  evaluation.  Operational  and  logistical 
considerations  are  made  which  will  produce  the  most  effective 
balance  in  cost,  performance  and  scheduling.  Realistic 
design-to-cost  and  life-cycle  cost  requirements  must  be  made 
in  order  to  assure  effective  achievement  of  the  cost  objec- 
tives. 

Logistics  support  planning  is  included  in  essentially 
every  major  action  of  this  phase  because  of  three  paramount 
considerations.  First,  it  is  important  to  identify  the  un- 
certainties and  risks  involved  in  the  selected  alternative, 
and  resolve  them  to  an  acceptable  level.  Whenever  these 
uncertainties  and  risks  cannot  be  determined  to  be  accept- 
able, their  impact  upon  the  successful  accomplishment  of  the 
procurement  effort,  and  the  satisfaction  of  the  defense  ob- 
jective, must  be  determined.  Second,  the  development  must  be 
logistically  supportable  and  the  requirements  must  be  estab- 
lished to  assure  the  availability  of  parts  and  material. 
Third,  all  aspects  of  reliability  and  maintainability  must  be 
evaluated  in  order  to  establish  the  accomplishment  of  design- 
to-cost  and  life-cycle  cost  requirements,  to  assure  the  iden- 
tification of  risk  areas,  to  support  the  operational  and 
logistical  considerations,  and  to  provide  a foundation  for 
the  operational  test  and  evaluation  efforts  which  must  be 
accomplished  before  the  cycle  can  transition  from  this  phase 
to  the  decision  point  of  Milestone  III. 
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d.  Milestone  III — Production  and  Deployment.  As  in  all 
the  previous  portions  of  the  cycle,  this  phase  is  initiated 
only  after  the  need  has  been  reevaluated  and  reaffirmed  and 
all  actions  of  the  previous  phase  have  been  completed. 
Transition  past  Milestone  III  represents  a decision  to  pro- 
ceed with  production  and  deployment  efforts  based  upon  this 
reaffirmation  of  the  original  need  and  the  test  and  evalua- 
tion results.  At  this  point  in  the  acquisition  cycle,  all 
aspects  and  requirements  of  cost,  performance,  schedule, 
design-to-cost  and  life-cycle-cost  factors,  system  support, 
reliability  and  maintainability  must  be  valid  and  cost 
effective . 

2.  Utilization  of  FMEA.  Currently,  the  utilization  of 
Failure  Modes  and  Effects  Analysis  is  somewhat  limited  in 
scope  due  to  the  fact  that  FMEA  is  closely  tied  to  a specific 
design.  Although  FMEA  is  a portion  of  the  reliability 
planning  effort,  and  is  considered  in  the  initial  logistics 
planning  effort,  its  use  in  the  Program  Initiation  Phase  is 
practically  nonexistent. 

The  use  of  FMEA  does  not  become  significant  until  after 
Milestone  II,  in  the  Full-Scale  Engineering  Development 
Phase.  Again,  this  is  due  to  the  fact  that  a firm  design  is 
not  usually  available  until  this  time,  and  the  current  prac- 
tice for  formulating  a FMEA  is  based  upon  the  availability  of 
this  design.  During  this  phase  many  important  aspects  of  the 
acquisition  begin  to  take  shape.  Reliability  and  maintain- 
ability determinations  are  made  which  will  have  a significant 
impact  on  the  effectiveness  of  the  chosen  alternative  to 
satisfy  the  defense  objective.  Other  logistical  considera- 
tions, such  as  procurement  of  parts  and  material  requiring 
long  order  times  and  system  spare  parts  support,  are  made 
which  establish  the  foundations  for  a production  decision. 
These,  and  numerous  other  considerations,  are  built  upon  the 
actions  of  the  preceeding  activities  and  vastly  affect  the 
succeeding  ones.  In  addition,  design  reviews  are  held,  the 
function  of  which  is  to  review  the  effectiveness,  validity 
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and  maturity  of  the  design.  The  use  of  FMEA  in  the  acquisi- 
tion first  becomes  apparent  at  this  time  because  it  is  a re- 
quirement, based  upon  current  Department  of  Defense  procure- 
ment directives,  that  these  design  reviews  include  an 
evaluation  of  the  FMEA.  Specifically,  this  evaluation  must 
determine  that  the  contractor  involved  has  eliminated,  or 
sufficiently  resolved  and  compensated  for,  all  category  III 
and  IV  failure  modes.  Also,  it  is  during  the  Full  Scale 
Development  Phase  that  the  Safety  and  Hazard  Analysis  for  the 
system  begins  to  take  shape.  Currently,  the  FMEA  is  a major 
resource  in  the  formulation  of  this  analysis. 

During  the  Production  and  Deployment  Phase  the  FMEA 
again  becomes  dormant.  Essentially,  its  purpose  under 
current  practices  is  fulfilled  and  it  is  used  primarily  as  a 
design  and  reliability  reference.  This  is  not  to  slight  the 
effort  which  is  involved  in  formulating  and  compiling  a FMEA 
for  a system  because,  in  a majority  of  cases,  the  effort 
involves  a great  deal  of  time  and  consumes  a significant 
amount  of  resources  in  man-hours  and  money.  For  example,  the 
FMEA  for  the  hydraulics  system  of  an  aircraft  can  often 
occupy  numerous  volumes.  The  FMEA  for  the  entire  aircraft, 
covering  all  subsystems,  can,  and  does  in  the  case  of  the 
F-15  aircraft,  present  a significant  storage  problem  because 
of  its  size. 

This  points  out  a significant  road-block  to  the  wide- 
spread utilization  of  the  FMEA  by  Program  Management.  The 
areas  of  responsibility  which  must  be  assumed  by  the  Program 
Manager  are  vast  and  wide  in  scope.  The  current  procedures 
used  by  contractors  in  formulating  a FMEA  result  in  a docu- 
ment, or  set  of  documents,  which  are  quite  voluminous.  This 
is  primarily  due  to  the  fact  that  a majority  of  Failure  Mode 
and  Effect  Analyses  are  performed  to  cover  every  possible 
avenue  of  failure  mode  and  to  include  every  indenture  level 
of  the  system.  If  one  magnifies  the  scope  of  the  hypothet- 
ical FMEA  in  Appendix  A to  include  every  possible  failure 
mode  of  every  individual  subsystem,  unit  and  component  of  the 
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system,  it  is  not  difficult  to  realize  that  this  analysis 
would  quickly  mushroom  into  a nearly  unmanageable  size. 

Clearly,  it  becomes  increasingly  difficult  for  Program 
Management  to  be  able  to  efficiently  assimilate  so  much  data 
carried  to  such  an  extreme  depth.  The  FMEA  process  loses 
flexibility,  ceases  to  become  a management  tool  and  becomes, 
instead,  an  exercise  accomplished  because  the  current  direc- 
tives require  it.  The  process  also  loses  validity  because 
funds  are  expended  for  an  effort  with  doubtful  cost  effec- 
tiveness. That  is,  one  can  question  the  validity  of  data 
that  is  so  extensive  that  few  are  in  a position  to  analyze  it 
or  take  benefit  from  its  formulation.  What  is  clearly  needed 
is  a methodology  for  incorporating  the  experience  gained  from 
past  Failure  Mode  and  Effect  Analyses,  and  the  needs  of  the 
Program  Manager  for  obtaining  accurate  data  concerning  the 
problems  and  issues  of  a particular  system  and  procurement 
effort  which  can  be  quickly  and  effectively  employed  in  the 
decision  making  process.  Also,  what  is  needed  is  a revision 
of  the  philosophy  surrounding  the  formulation  and  use  of  such 
a document  to  preclude  the  current  difficulties. 

C.  A REVISION  OF  PHILOSOPHY 

Failure  Mode  and  Effect  Analysis  can  potentially  be  a 
valuable  tool  for  the  Air  Force  Program  Manager.  However,  an 
extensive  study  of  the  current  role  of  FMEA  in  Air  Force  Pro- 
gram Management  has  shown  that  the  use  of  FMEA  as  a manage- 
ment tool  is  hindered  by  the  current  philosophy  which 
surrounds  the  process.  This  philosophy  has  resulted  in 
procedures  which  tend  to  continue  to  limit  the  scope  of  FMEA 
utilization  and  which  contribute  to  the  development  of  FMEA 
as  a process  which  becomes  increasingly  separated  from  man- 
agement. What  seems  to  be  happening  is  that  FMEA  is  becoming 
more  a reliability  and  design  aid  than  a valuable  resource 
easily  visible  to,  and  of  direct  and  substantial  use  by,  Air 
Force  Program  Management.  The  following  sections  are  a dis- 
cussion of  the  aspects  of  this  current  philosophy  which 
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should  be  readjusted  if  the  Air  Force  Program  Manager  is  to 
have  the  latitude  to  derive  full  benefit,  within  a management 
environment,  from  the  effort  expended  in  accomplishing  a 
FMEA . 

1.  Education . The  procedures  for  formulating  and  eval- 
uating a FMEA  are,  based  upon  a study  of  Air  Force  procure- 
ment efforts,  relatively  ill-defined.  Although  Military 
Standard  785A  stipulates  the  requirement  for  accomplishing  a 
FMEA,  it  makes  no  reference  to  any  formalized  documentation 
which  might  explain  the  basic  concepts  involved.  This  study 
has  found  that  no  such  documentation,  either  in  the  form  of 
Air  Force  Manuals  or  Pamphlets,  exists  to  aid  the  Program 
Manager.  Few  of  the  references  reviewed  by  this  study  con- 
tain more  than  a superficial  explanation  of  the  need  and  use 
of  FMEA.  A majority  of  these  works,  dealing  with  reliability 
engineering,  logistics  engineering  and  program  and  systems 
management,  contain  only  a few  short  paragraphs  which  deal 
with  FMEA.  A review  of  over  600  articles  and  papers  on  the 
broad  subject  area  of  reliability,  available  through  the 
Defense  Logistics  Studies  Information  Exchange  (DLSIE),  pro- 
duced only  one  article  which  specifically  covered  the  pro- 
cedures involved  in  formulating  a FMEA.  No  articles  have 
been  found  by  this  study  to  deal  specifically  with  the  role 
of  FMEA  in  Program  Management  or  how  FMEA  might  be  employed 
for  the  evaluation  of  the  success  of  a procurement  effort. 
Industrial  standards  which  have  been  reviewed  have  been  found 
to  be  rather  limited  in  scope,  primarily  as  "how-to"  refer- 
ences, with  little  emphasis  on  the  management  aspects  of  the 
process . 

The  FMEA  process  is  currently,  and  should  continue  to 
be,  a contractor  responsibility.  However,  the  Program  Man- 
ager has  a basic  responsibility  to  understand  those  endeavors 
undertaken  by  a contractor,  in  order  to  properly  manage  the 
resources  which  they  consume.  This  study  has  found  that  FMEA 
is  a process  which  is  not  fully  understood  by  the  Air  Force 
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Program  Manager,  based  on  a number  of  interviews,  and  which 
is  not  currently  employed  to  its  full  potential. 

Current  procurement  practices  call  for  the  FMEA  for  a 
system  development  to  be  an  agenda  item  at  all  design 
reviews.  Reliability  engineers  evaluate  the  FMEA  primarily 
to  determine  if  the  contractor  has  satisfactorily  resolved 
all  mission  critical,  or  Category  III  and  IV,  failures. 

After  fulfilling  this  requirement,  the  FMEA  is  retired  to  the 
contractors'  files,  updated  as  required,  and  produced  at  the 
next  design  review.  Little  Air  Force  documentation  has  been 
found  by  this  study  which  details  in  depth  the  formulation, 
evaluation  or  potential  use  of  FMEA.  This  study  has  found 
that  a great  number  of  those  individuals  involved  in  evaluat- 
ing the  FMEA  accept  the  validity  of  the  contractors'  analyti- 
cal procedures  with  little  in-depth  knowledge  of  the  process. 
In  addition,  the  formalized  training  conducted  on  FMEA  is 
minimal  in  scope  and  a majority  of  individuals  have  either 
learned  about  the  process  by  experience  or  by  instruction  on 
the  job. 

This  is  not  to  imply  that  FMEA  should  be  removed  from 
the  realm  of  responsibility  of  the  contractor.  Quite  the 
contrary,  because  the  contractor  has  the  best  working  know- 
ledge of  the  system  development  and  should  be  the  originator 
of  the  FMEA.  However,  what  is  needed  is  a shift  of  the 
philosophy  surrounding  the  FMEA  in  that  management,  and  those 
who  perform  the  evaluation  during  design  reviews,  should  be 
more  knowledgeable  about  the  basic  concepts  involved.  FMEA 
has  more  value  than  just  being  a scheme  for  the  counting  of 
mission  critical  failures.  Formal  Air  Force  documentation  is 
needed  which  will  constitute  a baseline  of  knowledge  for  the 
proper  utilization  of  FMEA. 

Standardization  of  the  format  or  content  of  a FMEA  is 
just  as  undesirable  as  removing  the  responsibility  for  the 
FMEA  from  the  contractor.  Since  the  FMEA  is  also  a con- 
tractor resource,  any  change  which  inflicts  bureaucratic 
standardization  retards  the  creativity  of  the  contractor  in 
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effectively  performing  his  function.  However,  there  are 
certain  aspects  of  a FMEA  which  will  occur  in  nearly  every 
system  development,  and  Program  Management  should  assure 
that  they  are  contained  in  the  FMEA.  Such  items  as  failure 
mode,  failure  cause,  failure  effect,  criticality  classifica- 
tion, and  some  measure  of  failure  probability  are,  as 
previously  described,  clearly  central  to  the  FMEA  process. 

The  form  and  content  requirement  for  other  items,  such  as 
compensating  provisions  and  remarks,  should  be  a function  of 
the  Program  Management  of  each  separate  development  effort. 
Close  cooperation  between  the  contractor  and  Program  Manage- 
ment is  essential  to  the  production  of  a meaningful  analysis. 

2.  Early  Program  Assessment.  A major  factor  which  this 
study  has  found  which  hinders  the  wide  use  of  FMEA  is  its 
current  dependency  upon  a rather  well  developed  design  of  the 
system.  This  design  is  not  usually  developed  to  a state 
which  is  easily  analyzed  until  late  in  the  Demonstration  and 
Validation  portion  of  the  acquisition  cycle,  shown  in  Figure 
5.  This  is  yet  another  aspect  of  the  current  FMEA  philosophy 
which  should  be  changed  in  order  to  derive  expanded  benefit 
from  the  FMEA.  The  evaluation  of  a defense  alternative  while 
it  is  in  the  conceptual  phase  of  development,  before  it  be- 
comes a definitive  design  and  before  the  initiation  of  design 
reviews,  can  provide  management  with  indications  of  its  feas- 
ibility and  emphasize  problem  areas  early  in  the  acquisition 
cycle  when  costs  are  generally  lower. 

Although  somewhat  simplistic  in  nature,  the  system  dia- 
gram of  Figure  1 represents  a system  in  a conceptual  phase. 
All  of  the  specifications  are  involved  and  the  subsystem 
interrelationships  are  evident.  The  FMEA  contained  in 
Appendix  A is  an  analysis  of  this  hypothetical  design.  Ad- 
mittedly, a defense  system  may  be  more  complex  but  nearly 
every  design  goes  through  the  same  conceptual  phase-point  as 
that  of  Figure  1.  What  is  most  important  is  that  it  is 
possible  to  quickly  determine  potential  system  weaknesses 
from  an  analysis  accomplished  at  this  early  stage  of  system 
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development.  Unlike  the  situation  caused  by  current  pro- 
cedures, the  Program  Manager  has  early  visibility  of  the 
feasibility  of  the  project,  early  knowledge  of  the  general 
system  structure,  and  without  the  complexity  of  succeeding 
levels  of  design  detail  it  is  possible  for  him  to  quickly 
isolate  the  areas  of  the  procurement  process  which  will  re- 
quire close  managerial  attention.  When  many  alternatives 
are  being  considered  for  possible  development,  the  accom- 
plishment of  this  generalized  FMEA  offers  a valid  and  cost 
effective  vehicle  by  which  the  feasibility  of  each  alterna- 
tive can  be  assessed. 

In  the  analysis  in  Appendix  A,  it  can  be  seen  that  the 
Instrumentation  section  of  the  system,  shown  in  Figure  1,  has 
three  areas  which  can  cause  serious  problems.  First,  the 
read-outs  of  temperature  and  pressure,  reference  0.1-1,  can 
cause  a Category  III  failure  when  the  read-outs  are  normal 
and  the  inputs  are  abnormal.  Second,  the  Automatic  Shutdown, 
reference  0.1-2,  can  cause  a Category  IV  failure  if  there 
should  be  a loss  of  output  when  the  inputs  are  abnormal. 
Third,  the  Air  Pressure  Relief,  reference  0.1-3,  can  cause  a 
Category  IV  failure  if  there  should  be  a loss  of  output  when 
the  inputs  are  abnormal.  In  addition,  an  analysis  of  this 
third  entry  has  resulted  in  a specific  safety  recommendation. 
Each  of  these  areas  would,  in  an  actual  system  development, 
require  management  attention.  Their  early  assessment  could 
potentially  result  in  a more  efficient  allocation  of 
resources  and  a more  cost  effective  procurement  effort. 

It  must  be  emphasized  that  these  indications  of  poten- 
tial system  deficiencies  are  evident  not  because  of  an  analy- 
sis of  a detailed  design  but  rather  that  of  a conceptual 
block  diagram.  This  type  of  diagram,  in  most  cases,  is 
available  during  the  early  phases  following  Milestone  0,  when 
the  various  defense  alternatives  are  being  evaluated  for 
future  development.  What  is  gained  by  this  introduction  of 
FMEA  early  in  the  acquisition  cycle  is  an  early  indication  of 
the  existence  of  specific  problem  areas  when  the  cost  of 
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redesign  and  evaluation  are  low.  Also,  this  example  points 
out  that  it  is  not  a general  requirement  of  all  system  pro- 
curement efforts  to  accomplish  a FMEA  based  solely  upon  a 
detailed  design  in  order  to  produce  an  analysis  which  is 
beneficial  to  Program  Management. 

As  before,  it  is  not  considered  prudent  to  remove  the 
responsibility  of  this  preliminary  FMEA  from  the  jurisdiction 
of  the  contractor.  The  Air  Force  Program  Manager  is  not  a 
system  designer,  but  he  does  have  a responsibility  to  provide 
design  guidance.  The  accomplishment  of  a FMEA  while  the 
system  is  being  conceptualized  will  enable  him  to  accomplish 
this  task  on  a continuing  basis  and  provide  a cost  effective 
means  of  transitioning  from  milestone  to  milestone. 

3.  Increased  Management  Visibility.  In  order  to 
properly  manage  the  continuing  effort  of  a defense  system 
acquisition,  the  Program  Manager  must  have  full  visibility 
of  the  progress  and  maturity  of  the  system  development.  This 
is  especially  true  when  the  acquisition  cycle  transitions  to 
the  point  where  a validation  of  the  need  of  the  defense  ob- 
jective is  required.  Under  the  current  philosophy  of  FMEA 
use  it  is  not  possible  to  easily  fit  the  FMEA  into  this  con- 
text, primarily  because  of  its  size  and  complexity.  Under- 
standably, the  least  conceivable  action  that  a Program 
Manager  might  take  when  arriving  at  this  decision  point  would 
be  to  bury  himself  in  the  detail  of  a FMEA.  However,  the  in- 
formation which  he  most  probably  needs  at  this  point  is  con- 
tained in  the  FMEA.  Again,  what  is  needed  is  a shift  of 
philosophy . 

Few  programs  require  that  the  contractor  deliver  copies 
of  the  full  scale  FMEA  to  Program  Management,  which  is  logi- 
cal when  one  considers  its  size  and  complexity.  Instead,  the 
contractor  retains  possession  of  the  FMEA  and  produces  copies 
only  on  demand.  As  each  design  review  is  held,  the  FMEA  is 
made  available  for  Air  Force  review  and  evaluation.  The 
contractor  then  reclaims  the  FMEA  and  performs  the  update  as 
requirements  and  design  changes  dictate.  The  question 
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remains,  however,  of  how  Program  Management  can  retain  visi- 
bility of  the  progress  of  the  system  development  when  one  of 
the  primary  source  documents  for  this  assessment  remains  with 
the  contractor.  Delivery  of  the  FMEA  by  the  contractor  does 
not  offer  a plausible  solution  because  it  still  burdens  the 
Program  Manager  with  the  necessity  of  reviewing  a sizeable 
document . 

a.  The  FMEA  Transition  Summary.  One  answer  may  lie  in 
the  use  of  the  FMEA  Transition  Summary,  shown  in  Figure  6. 
This  type  of  supplement  to  the  FMEA  is  not  a summary  of  the 
contents  of  the  FMEA.  Instead,  it  is  a summary  of  the 
changes  which  have  taken  place  to  the  FMEA,  especially  be- 
tween design  reviews  and  as  design  changes  take  place,  and 
offers  some  immediate  benefits  over  the  current  practice. 

The  format  presented  here  is  an  improvement  of  that  offered 
by  Arnzen  (26)  in  that  the  Summary  is  directly  related  to  the 
system  block  diagrams  through  the  REFERENCE  entry  and  the 
change  in  criticality  classification  is  made  clearer. 

The  FMEA  Transition  Summary  provides  a real-time  visi- 
bility over  the  progress  of  the  system  development  because  as 
design  changes  occur,  and  the  contractor  submits  an  amended 
Summary,  Program  Management  can  directly  relate  their  impact 
to  the  system  objectives.  This  is  not,  in  any  way,  to  sug- 
gest that  the  current  practice  of  filing  an  Engineering 
Change  Proposal  (ECP)  is  not  effective,  but  the  use  of  the 
FMEA  Transition  Summary  draws  direct  correlations  between  the 
design  change  and  the  effect  of  that  change  upon  the  FMEA  and 
the  system  development.  The  use  of  the  Summary  also  offers 
the  advantage  of  providing  a reference  to  those  individuals 
participating  in  the  design  review  of  the  changes  which  have 
occurred  since  the  last  review.  In  this  way,  the  design 
review  process  is  expedited  because  each  change  can  be 
directly  and  quickly  related  to  the  FMEA  to  determine  the 
effect  of  the  change.  Therefore,  the  reviewer  does  not  have 
to  retrace  areas  already  covered  in  a previous  review  and  can 
efficiently  proceed  to  the  affected  sections  of  the  FMEA. 
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Another  important  responsibility  of  the  Program  Manager 
is  to  be  able  to  quickly  and  efficiently  evaluate  the  para- 
meters of  cost,  performance  and  schedule  requirements  in 
order  to  assess  the  impact  of  trade-offs.  In  other  words,  he 
must  be  able  to  determine  the  cost-benefit  relationships  in- 
volved in  each  area  of  the  system  development.  The  FMEA 
Transition  Summary  offers  a method  for  accomplishing  this 
task  because  as  each  design  change  takes  place,  and  is  re- 
corded on  the  Summary,  the  Program  Manager  can  relate  its 
implementation  to  the  FMEA  and  evaluate  its  impact.  The 
collection  of  the  Summaries  constitute  a chain  of  events  in 
the  system  development  and  the  Program  Manager  can  arrive  at 
conclusions  regarding  the  relative  value  of  each  change  by 
reviewing  the  changes  which  preceeded  it. 

b.  The  Failure-Criticality  Grid.  The  format  and  con- 
tent of  a FMEA  done  by  one  contractor  differs  in  form  and 
content  from  that  of  another.  However,  most  contain  either 
an  entry  for  failure  rate  or  failure  probability.  Both  of 
these  factors  are  derived  from  the  information  in  the  relia- 
bility analysis  but  have  subtle  differences.  Failure  proba- 
bility is  the  probability  that  a failure  will  occur  during  a 
specified  interval  of  time  and  failure  rate  is  the  frequency 
at  which  failures  occur  over  a specified  interval  of  time. 
Failure  probability  is  usually  expressed  as  a number  between 
zero  and  one  and  failure  rate  is  normally  expressed  as  the 
number  of  failures  occurring  per  unit  operating  hour.  This 
type  of  information  is  generally  beneficial  because  it  pro- 
vides some  degree  of  correspondence  to  the  likelihood  of  the 
occurrence  of  a failure  mode.  The  question  arises,  however, 
of  how  a Program  Manager  can  effectively  employ  this  informa- 
tion in  assessing  the  progress  of  the  system  development, 
establishing  trade-offs  with  respect  to  the  factors  of  cost, 
schedule  and  performance,  or  determining  the  dollar  impact  of 
changes . 

The  Failure-Criticality  Grid,  shown  in  Figure  7,  is  a 
modification  of  that  used  by  Stump  (27)  in  that  it  more 
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effectively  incorporates  the  definitions  of  Section  III.  The 
Failure-Criticality  Grid  is  intended  to  provide  a method 
which  will  allow  the  Program  Manager  to  easily  visualize  the 
relationships  of  failure  probability  or  failure  rate  and 
criticality  classification.  This  can  be  especially  benefi- 
cial for  the  Program  Manager  in  his  efforts  in  determining 
the  capability  of  the  system  to  meet  specific  design  goals 
and  defense  objectives,  allocating  resources  to  critical 
areas  of  the  procurement  effort,  establishing  the  impact  of 
design  changes,  and  in  determining  the  progress  and  maturity 
of  the  system  development.  The  Failure-Criticality  Grid  uses 
a technique  of  stratifying  the  failure  probability  or  failure 
rate  information  into  designated  ranges.  It  must  be  empha- 
sized that  the  following  discussion  employs  failure  ranges 
which  are  for  example  only. 

Stratification,  as  used  in  the  formulation  of  the 
Failure-Criticality  Grid  presented  here,  is  the  process  of 
dividing  the  probability  space  into  different  ranges  when 
using  failure  probability  data.  (28)  For  failure  rate  data, 
the  area  of  stratification  could,  for  example,  cover  from 
zero  failures  per  unit  time  to  the  maximum  specified  failures 
per  unit  time.  The  ranges  are  flexible  and  can  be  adjusted 
in  size  and  number  according  to  the  system  specification  and 
the  requirements  of  Program  Management.  The  stratification 
shown  in  Table  IV  is  used  for  the  hypothetical  FMEA  in 
Appendix  A.  Again,  it  must  be  emphasized  that  the  failure 
ranges,  failure  probabilities  and  failure  rates  used  herein 
are  for  example  only.  In  actual  use  in  a procurement  effort, 
these  factors  would  be  based  upon  the  specification  and  the 
requirements  of  the  Program  Management  of  that  particular 
program. 

The  Failure-Criticality  Grid  is  a method  by  which  the 
Program  Manager  can  quickly  and  efficiently  determine  the 
relationship  of  the  criticality  classification  and  the  fail- 
ure range,  as  determined  by  the  stratification  technique.  As 
entries  are  made  in  the  Grid,  the  distribution  of  the  failure 
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TABLE  IV 

STRATIFICATION  OF  FAILURE  RANGES  USED  IN  THE 
PROGRAM  DISTRIBUTION  GRID 


RANGE 

1 Failure  probability  which  is  less  than  or 
equal  to  0.01;  very  low. 

Failure  rate  of  one  or  less  failures  per 
year . 

2 Failure  probability  which  is  greater  than 
0.01  and  less  than  or  equal  to  0.10;  low. 
Failure  rate  of  more  than  one  failure  per 
year  and  two  or  less  failures  per  year. 

3 Failure  probability  which  is  greater  than 
0.10  and  less  than  or  equal  to  0.20;  medium. 
Failure  rate  of  more  than  two  failures  per 
year  and  three  or  less  failures  per  year. 

4 Failure  probability  which  is  greater  than 
0.20;  high. 

Failure  rate  of  greater  than  three  failures 
per  year. 
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modes,  specified  by  unit  and  signal  reference  number,  become 
apparent.  The  Grid  shown  in  Figure  7 is  for  the  system  shown 
in  Figure  1 and  the  FMEA  in  Appendix  A.  The  vertical  axis 
represents  the  criticality  classification,  in  descending 
order,  and  the  horizontal  axis  represents  the  failure  ranges 
obtained  after  stratification.  Each  failure  mode  is  then 
assigned  to  its  respective  location  in  the  matrix  based  upon 
these  two  factors,  and  is  designated  by  the  indenture  level 
reference  notation  described  in  earlier  sections. 

This  study  has  found  that,  owing  to  its  size  and  com- 
plexity, a FMEA  accomplished  with  current  techniques  is 
extremely  difficult  to  analyze  with  respect  to  the  relative 
occurrence  of  any  single  criticality  classification  and  the 
distribution  of  all  criticality  classifications  over  the 
entire  system.  The  Failure-Criticality  Grid  clearly  fulfills 
this  need.  The  primary  benefit  of  this  method  is  that  the 
Air  Force  Program  Manager  has  immediate  visibility  of  the 
entire  system  development. 

If  a Program  Manager  should  establish  the  goal  of  reduc- 
ing the  number  of  Category  III  and  IV  failures,  as  well  he 
should,  the  Failure-Criticality  Grid  offers  him  a vehicle 
with  which  to  measure  the  success  of  his  efforts.  In  addi- 
tion, he  can  determine  the  change  in  status  of  the  failure 
modes  for  the  entire  system.  For  example,  if  a design  change 
were  implemented  to  eliminate  the  Category  Ill-Range  3 
failure  mode,  referenced  by  0.1-1  in  Figure  7,  and  this 
change  resulted  in  a shift  of  this  failure  mode  to  Category 
IV-Range  1,  the  change  would  be  obvious  with  the  use  of  the 
Grid.  Current  FMEA  procedures  require  that  a large  portion 
of  the  FMEA  would  have  to  be  analyzed  before  such  a change 
would  be  apparent.  The  Grid  of  Figure  7 shows  a large 
cluster  of  failure  modes  in  Category  IV-Range  1.  Perhaps  a 
Program  Manager  might  want  to  allocate  resources  to  change 
this  situation.  Under  current  practices,  this  grouping  of 
failure  modes  would  be  hidden  in  the  complexity  of  the  FMEA. 
Nearly  every  occurrence  which  changes  the  criticality 
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classification  or  failure  range  of  a specific  failure  mode 
is  made  clear  through  the  use  of  the  Failure-Criticality 
Grid.  In  addition,  the  impact  of  such  a change  upon  the 
entire  system  configuration  is  readily  apparent.  Essen- 
tially, the  Grid  can  provide  the  Air  Force  Program  Manager 
with  increased  visibility  of  the  procurement  effort  and 
result  in  increased  managerial  efficiency.  The  benefits  to 
be  derived  from  the  use  of  the  Failure-Criticality  Grid  are 
only  limited  by  the  Program  Manager. 

4.  Increased  Management  Flexibility.  A significant 
situation  which  has  been  found  to  exist  is  the  lack  of  man- 
agement flexibility  in  the  formulation  of  the  Failure  Mode 
and  Effect  Analysis  of  a specific  system.  The  Program  Manag- 
er does  not  have  the  latitude  to  manage  this  resource  because 
he  cannot  make  determinations  as  to  the  scope  of  the  FMEA  for 
his  program.  For  example,  if  a particular  subsystem  does  not 
show  the  potential  for  causing  significant  problems  in  the 
system  development  the  Program  Manager  cannot  specify  the 
level  to  which  this  subsystem  will  be  analyzed.  Current 
practices  and  requirements  dictate  that  all  portions  of  the 
system  will  be  analyzed  to  the  lowest,  or  component  level. 

Of  course,  this  assures  that  no  possible  contingency  can 
occur  which  will  degrade  the  system  performance;  however,  it 
lessens  the  authority  of  the  Program  Manager.  The  formula- 
tion of  a FMEA  consumes  time,  funds  and  personnel.  If  the 
current  depth  of  analysis  is  not  needed,  in  the  opinion  of 
the  authority  responsible  for  the  program,  then  the  question 
remains  whether  these  resources  can  be  better  spent  in  other 
areas.  When  the  depth  of  the  information  precludes  its  use 
because  of  the  time  needed  to  assess  it,  then  that  informa- 
tion, and  the  resources  spent  to  produce  it,  have  reached  a 
point  where  the  return  diminishes. 

The  FMEA  presented  in  this  study  is  a model  upon  which 
an  actual  FMEA  can  be  based.  However,  with  the  practices  in 
effect,  the  Program  Manager  does  not  have  the  latitude  to 
stipulate  the  format  which  the  contractor  will  use.  This  is 
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especially  true  if  the  contractor  does  not  supply  all  the 
information  which  the  Program  Manager  might  require.  Essen- 
tially, the  Program  Manager  is  put  in  the  situation  ol' 
getting  what  he  is  given  and  being  forced  to  be  satisfied 
because  to  reaccomplish  this  effort  may  cost  significantly 
more  than  the  program  plan  and  budget  can  bear. 

5.  Increased  Logistic  Supportabil ity . The  true  valid- 
ity and  cost  effectiveness  of  the  FMEA  process  lies  in  its 
capability  to  be  applied  to  a diverse  number  of  areas  of  the 
procurement  effort.  This  study  has  found  that  the  current 
structure  of  Failure  Mode  and  Effect  Analysi?  and  the  general 
philosophy  surrounding  its  use  have  acted  as  i.'eterents  to  its 
being  employed  to  its  full  potential.  This  i .specially 
true  in  the  broad  area  of  logistics  support,  since  it  in- 
volves some  key  activities.  A change  in  the  current  philoso- 
phy, and  the  subsequent  change  in  the  procedures,  can  result 
in  a wider  use  and  acceptance  of  FMEA.  As  the  scope  of  FMEA 
use  increases  to  cover  more  aspects  of  the  procurement 
effort,  its  validity  and  cost  effectiveness  increase. 

Logistics  support  is  a term  which  may  be  applied  to 
encompass  a variety  of  subjects.  For  the  purposes  of  this 
discussion,  logistic  support  will  include  the  areas  of  oper- 
ational testing,  supply  support,  maintainability,  personnel 
and  training,  and  technical  data.  Just  as  each  portion  of 
the  model  FMEA  presented  can  benefit  the  Program  Manager  in 
his  endeavor  to  manage  the  over-all  system  development,  so 
they  can  benefit  each  of  these  subdivisions  of  the  program. 

The  maintainability  of  the  system,  or  the  capability  for 
the  system  to  be  effectively  repaired  and  serviced,  is  a 
factor  which  must  be  considered  throughout  the  entire  acqui- 
sition cycle.  Clearly,  if  the  system  is  not  maintainable 
then  its  feasibility  for  fulfilling  the  defense  objective  is 
negated.  The  impact  of  design  changes,  the  types  and  distri- 
bution of  failures,  the  causes  and  effects  of  failures,  the 
symptoms  and  detectability  of  failures,  and  the  interrela- 
tionships of  subsystems  are  all  factors  which  influence 
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maintainability.  Accordingly,  the  FMEA  is  a method  by  which 
each  of  these  factors  can  be  assessed.  However,  this  study 

has  found  that  little  use  is  made  of  the  FMEA  in  this  con-  I 

text.  A great  deal  of  the  information  which  is  used  to 

l 

evaluate  the  maintainability  of  a system  is  drawn  from  the 
reliability  analysis  because  of  the  numerical  determinations 
made  for  such  factors  as  mean-t ime-to-repair  (MTTR),  mean- 

time-between-f ailure  (MTBF),  mean-t ime-between-replacement  i 

(MTBR),  maintenance  downtime  (MDT),  and  total  turnaround 
time  (TAT).  The  FMEA  is  not  structured  to  provide  the  calcu- 
lations for  these  factors,  and  it  should  not  be.  However, 

« 

the  FMEA  can  provide  the  information  needed  to  make  a quali-  1 

tative  evaluation  of  maintainability  because  it  does  show  the 
relative  impact  of  design  changes,  and  emphasizes  those  areas 
of  failure  which  can  cause  significant  maintenance  problems. 

The  Failure  Mode  and  Effect  Analysis  also  shows  the  subsystem 
relationships  involved  in  the  system  and  can  indicate  the 
existence  of  problem  areas  which  may  not  be  apparent  by  the 
numbers  alone. 

Each  failure  which  occurs  will,  in  most  cases,  require 
some  type  of  supply  support  in  the  form  of  a part  used  to 
repair  it.  Again,  the  FMEA  is  suited  to  provide  the  informa- 
tion necessary  to  accomplish  the  planning  for  this  supply 
support.  The  types  and  distribution  of  failure  modes  for  the 
entire  system,  and  for  specific  subsystems,  obviously  give 
indications  of  the  frequency  with  which  the  system  will  re- 
quire parts.  In  addition,  this  information  can  be  valuable 
in  determining  the  priorities  which  will  be  involved.  For 
example,  Category  I failures  may  not  require  as  high  a supply 
priority  as  Category  II  failures.  A particular  subsystem 
with  a high  incidence  of  failures  in  one  area  will  likely 
require  more  spare  parts  than  another.  In  addition,  informa- 
tion presented  in  the  FMEA  can  provide  indications  as  to  the 
relative  costs  involved  in  supplying  the  system  throughout 
its  life  cycle.  As  design  changes  occur,  or  trade-offs  are 
made  which  affect  the  system  configuration,  these  changes  can 
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be  reflected  in  the  FMEA  on  real-time  basis  through  the  use 
of  such  sections  of  the  FMEA  as  the  Transition  Summary  and 
the  Program  Distribution  Grid.  The  FMEA  provides  the  supply 
analyst  with  a means  of  qualitatively  evaluating  the  supply 
supportabil i ty  of  the  system  without  attempting  to  derive 
the  meaning  of  a numerical  analysis. 

Failure  Mode  and  Effect  Analysis  can  make  an  important 
contribution  in  the  area  of  technical  data.  A FMEA  struc- 
tured such  as  the  one  in  Appendix  A shows  not  only  the  type 
of  failure,  or  failure  mode,  but  also  the  effect  of  the 
failure,  the  cause  of  the  failure,  the  symptoms  and  means  of 
detection  of  the  failure,  and  those  features  of  the  design 
which  compensate  for  the  failure.  In  addition,  the  FMEA 
shows  the  structure  of  the  system  and  the  subsystem  relation- 
ships involved.  Essentially,  the  FMEA  provides  the  informa- 
tion necessary  to  formulate  a maintenance  manual.  Also,  this 
information  is  central  to  the  information  required  in  prepar- 
ing an  operational  manual. 

General  determinations  as  to  the  requirements  for 
numbers  and  skill  levels  of  personnel  can  be  facilitated  by 
use  of  the  FMEA.  A qualitative  evaluation  of  the  data  on 
failure  types  and  the  effect  which  they  have  on  system  per- 
formance can  provide  indications  of  the  skills  needed  or  the 
type  of  training  required.  For  example,  if  the  FMEA  of  a 
system  resulted  in  more  failures  in  the  electronic  sections 
of  the  system,  then  more  personnel  trained  in  electronics 
would  be  needed  than  those  with  mechanical  skills.  The 
specific  skills  needed  would  require  a more  comprehensive 
evaluation  of  the  data  contained  in  the  FMEA  and  that  con- 
tained in  the  reliability  analysis. 

The  formulation  of  plans  for  the  operational  test  and 
evaluation  is  an  exacting  process  requiring  data  from  a 
variety  of  sources.  Currently,  this  planning  is  done  by 
combining  the  requirements  of  the  specification  with  informa- 
tion obtained  from  the  reliability  analysis  and  technical 
information  on  the  system  performance  and  capabilities 
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supplied  by  the  contractor.  This  study  has  found  that  little 
use  is  made  of  the  FMEA  in  this  planning  process.  The  opera- 
tional test  and  evaluation  results  constitute  a basis  for  a 
production  decision,  and  the  FMEA  contains  information  which 
can  significantly  assist  in  this  decision  and  in  the  formula- 
tion of  the  test  plan.  For  example,  by  employing  the  infor- 
mation contained  in  the  FMEA  a specific  subsystem  performance 
can  be  evaluated  in  a failure  environment.  That  is,  if 
design  features  have  been  incorporated  to  compensate  for  a 
failure,  then  the  ability  of  the  system  to  survive  that 
failure  mode  could  be  tested.  The  maintainability  of  a 
system  can  be  tested  by  using  the  information  in  the  FMEA  to 
supply  failure  information  to  assist  in  determining  the 
accuracy  of  the  information  contained  in  the  reliability 
analysis . 
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IV.  CONCLUSIONS  AND  RECOMMENDATIONS 

A.  CONCLUSIONS 

The  results  of  this  study  lead  to  the  overall  conclusion 
that  Failure  Mode  and  Effect  Analysis  is  a resource  which  is 
not  being  employed  to  its  full  potential  in  Air  Force  defense 
system  acquisitions.  Most  prevalent  of  the  many  factors 
which  have  contributed  to  this  circumstance  is  the  current 
philosophy  which  surrounds  the  use  of  the  FMEA  process.  This 
philosophy  has  made  FMEA  another  portion  of  the  rather  mystic 
science  of  reliability  and  hindered  its  development  as  a val- 
uable management  tool. 

The  model  FMEA  presented  in  Appendix  A can  be  used  as  a 
guideline  for  the  Air  Program  Manager  in  integrating  FMEA 
into  an  acquisition  effort.  When  it  is  combined  with  the 
system  block  diagrams  and  used  in  conjunction  with  the  Trans- 
ition Summary  and  the  Failure-Criticality  Grid,  it  offers  a 
valid  and  cost  effective  method  for  evaluating  the  capability 
of  the  chosen  alternative  to  meet  the  requirements  of  the 
defense  objective  and  serves  as  a measure  of  the  progress  of 
the  acquisition  effort.  In  addition,  it  provides  a concise 
history  of  the  significant  events  which  have  occurred  and 
indicates  their  impact  on  the  overall  system  configuration. 
Armed  with  this  type  of  information,  the  Program  Manager  can 
effectively  evaluate  trade-offs  with  respect  to  the  require- 
ments of  cost,  performance  and  schedule. 

Further  study  is  recommended  below  with  suggestions  on 
how  to  circumvent  some  of  the  problem  areas  highlighted  here 
and  suggestions  on  further  areas  of  study. 

B.  RECOMMENDATIONS 

FMEA  can  only  be  effective  if  the  concepts  involved  in 
its  formulation  and  the  benefits  to  be  derived  from  its  use 
are  understood  by  Air  Force  Program  Managers.  Education  on 
the  process  is  clearly  necessary.  Air  Force  documentation  is 
needed  which  will  provide  the  Program  Manager  an  available 
reference  on  FMEA  without  requiring  him  to  delve  into  the  few 
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books  and  articles  available.  Air  Force  management  courses 
should  be  available  which  stress  the  value  and  validity  of 
FMEA  and  delineate  the  wide  scope  of  its  potential  use. 

A measure  of  flexibility  needs  to  be  introduced  into  the 
directives  which  require  the  use  of  FMEA  in  the  acquisition 
process.  The  Program  Manager  should  have  the  latitude  to 
structure  the  FMEA  in  the  way  which  best  benefits  the  pro- 
gram. The  depth  of  the  analysis  should  not  be  a requirement 
which  encompasses  more  than  what  is  needed  for  management 
objectives . 

The  slight  modifications  to  the  form  and  content  which 
have  been  presented  in  this  report  should  be  included  within 
the  structure  of  the  FMEA.  This  is  not  a recommendation  that 
they  be  unilaterally  required  but  that  they  should  be  made 
available  to  the  Program  Manager  for  use  in  the  program  and 
the  FMEA. 

This  change  in  the  current  philosophy  and  the  shift  of 
FMEA  from  a strictly  reliability  oriented  function  to  that 
of  a process  which  can  benefit  the  entire  acquisition  process 
should  be  made.  Only  in  this  way  can  the  effective  utiliza- 
tion of  FMEA  be  realized. 

C.  AREAS  OF  FURTHER  STUDY 

The  computerization  of  Failure  Mode  and  Effect  Analysis 
is  an  area  worthy  of  further  study.  Although  there  are  in- 
stances of  where  the  computer  has  been  used  to  generate  the 
FMEA  form  from  specific  input  data,  no  use  has  been  made  of 
the  computer  in  the  decision  making  processes  involved  in  the 
FMEA.  Essentially,  the  overall  problem  is  three-fold  in 
nature.  First,  a set  of  universal  rules  must  be  developed 
which  can  be  applied  to  every  FMEA.  Then,  a set  of  decision 
algorithms  must  be  written  which  can  incorporate  these  rules 
and  the  specifications  for  a particular  defense  system. 
Finally,  a computer  program  rivst  be  generated  which  combines 
the  rules  and  the  decision  algorithms,  provides  for  such 
aspects  as  the  FMEA  Transition  Summary  and  the  Failure-Criti- 
cality Grid,  and  allows  flexible  requirements  as  specified  by 
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Program  Management.  This  type  of  computerized  analysis  can 
be  of  immediate  benefit  in  reducing  the  workload  of  Program 
Management  and  in  providing  a centralized  store  of  readily 
available  FMEA  information  on  a timely  basis. 

The  use  of  FMEA  in  evaluating  Reliability  Improvement 
Warranties  (RIW)  offers  another  area  of  study.  Simplis- 
tically,  a RIW  is  much  like  the  service  agreement  that  a 
retailer  makes  with  a customer  covering  a refrigerator. 
However,  for  a complex  defense  system,  they  are  much  more 
complicated  and  cover  nearly  all  aspects  of  system  operation 
and  maintenance.  Reliability  Improvement  Warranties  are  cur- 
rently of  increasing  interest  and  importance  in  the  Air  Force 
and  FMEA  offers  a potential  method  of  determining  their 
validity  in  specific  programs. 

Further  amplification  of  this  study  is  also  possible.  A 
case-by-case  study  encompassing  the  aerospace  industry  could 
provide  information  concerning  the  role  of  FMEA  in  that  in- 
dustry. The  sample  FMEA  study  questionnaire  contained  in 
Appendix  B could  be  distributed  to  aerospace  contractors  and 
the  results  analyzed.  In  addition,  the  impact  of  FMEA  on 
other  areas  of  private  industry,  such  as  the  automotive  in- 
dustry or  the  home  appliance  industry,  could  be  examined. 
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APPENDIX  A 

MODEL  FAILURE  MODE  AND  EFFECT  ANALYSIS 

Presented  here  is  a model  Failure  Mode  and  Effect  Analy- 
sis for  the  hypothetical  high  pressure  air  compressor  system  ' 

described  in  the  body  of  the  report.  The  FMEA  consists  of 
the  system  description,  the  system  specifications,  the  system 
block  diagrams,  and  the  analysis  forms.  It  must  be  empha- 
sized that  all  factors  are  for  example  only  and  are  not  meant 
to  specify,  or  form  the  basis  for  the  specification  of,  any 
actual  system.  In  actual  use,  these  factors  would  be  subject 

to  the  contractual  negotiations  of  that  particular  procure-  < 

ment  effort. 

A.  SYSTEM  DESCRIPTION 

The  hypothetical  system  to  be  analyzed  is  a high  pres- 
sure air  compressor  which  will  be  used  to  supply  all  the  high 
pressure  air  for  a varied  number  of  operations.  The  com- 
pressor is  an  electric  motor  driven  two  cylinder,  four  stage 
piston  type  with  closed  (recirculating)  water  cooling  and 
self-contained  lubrication.  Excluded  from  the  analysis  is 
the  power  controller  and  the  high  pressure  storage  tank. 

B.  SYSTEM  SPECIFICATION 

The  Instrumentation  and  Monitors  Subsystem  supplies 
signals  representing  air  temperature  and  pressure  to  a read- 
out device  which  is  considered  a portion  of  this  subsystem. 

This  subsystem  also  supplies  a signal  for  the  automatic 
relief  of  excessive  high  pressure  air  to  an  external  auto- 
matic relief  valve.  This  external  high  pressure  relief  valve 
will  be  activated  by  the  Instrumentation  and  Monitor  Sub- 
system when  the  pressure  of  the  air  produced  by  the  com- 
pressor exceeds  3550  pounds-per-square-inch  (psi).  In  addi- 
tion, the  Instrumentation  and  Monitor  Subsystem  will  supply  a 
signal  to  the  power  controller  for  the  automatic  shutdown  of 
the  entire  system  when  the  temperature  of  the  high  pressure 
air  is  less  than  385  degrees  Fahrenheit  or  exceeds  415 
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degrees  Fahrenheit.  This  automatic  shutdown  signal  will  also 
be  used  to  activate  an  audible  alarm  sufficient  in  volume  to 
notify  the  operator  that  the  system  has  been  shut  down. 

The  Compressor  Subsystem  supplies  high  pressure  air  at  a 
pressure  of  3550  p.s.i.,  at  a temperature  between  385  and  415 
degrees  Fahrenheit,  and  at  a rate  of  14.5  cubic-feet-per- 
hour  (cfh). 

The  Motor  Subsystem  receives  electric  power  from  the 
power  controller  and  operates  on  440  volts,  60  cycle  alter- 
nating current.  The  Motor  Subsystem  supplies  torque  to  the 
compressor  and  operates  at  a constant  speed  of  4610  revolu- 
t ions-per-minute  (rpm).  In  addition,  the  Motor  Subsystem 
supplies  torque  to  the  Lubrication  Subsystem  and  the  Cooling 
and  Moisture  Separation  Subsystem. 

The  Lubrication  Subsystem  supplies  lubricating  oil  to 
the  Compressor  Subsystem. 

The  Cooling  and  Moisture  Separation  Subsystem  cools  and 
dries  outside  air  and  supplies  it  to  the  Compressor  Subsystem 
for  compression  and  output.  Moisture  content  of  the  air  sup- 
plied by  this  subsystem  must  be  less  than  ten  parts-per- 
million  (ppm).  In  addition,  this  subsystem  receives  heated 
oil  from  the  Compressor  Subsystem  and  cools  it  for  redistri- 
bution to  the  Lubrication  subsystem. 

C.  FUNCTIONAL  BLOCK  DIAGRAMS 

The  functional  breakdown  of  the  high  pressure  air  com- 
pressor system  is  shown  in  Figures  1,  2,  3,  and  4.  The 
major  subsystem  relationships  are  shown  in  the  second  inden- 
ture level  diagram  of  Figure  1.  The  Instrumentation  and 
Monitors  Subsystem  is  expanded  to  the  third  indenture  level 
in  Figure  2.  The  Temperature  Monitor  Subsection  of  the  In- 
strumentation and  Monitors  Subsystem  is  shown  in  the  fourth 
indenture  level  in  Figure  3.  Specific  inputs  and  outputs 
are  identified  and  the  relationships  existing  through  four 
indenture  levels  are  shown  in  Figure  4. 
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D.  MODEL  FAILURE  MODE  AND  EFFECT  ANALYSIS 

The  actual  FMEA  is  shown  in  Figure  8.  The  procedures 
for  formulating  and  evaluating  this  analysis  are  contained  in 
Section  III  of  the  report. 
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Figure  8.  (continued) 
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APPENDIX  B 

SAMPLE  FMEA  STUDY  QUESTIONNAIRE 

Presented  here  is  a sample  questionnaire  which  may  have 
potential  use  in  further  studies  of  the  FMEA  process  as  it 
applies  to  contractors  involved  in  DOD  contracts.  The  objec- 
tive of  the  questionnaire  is  to  determine  whether  the  con- 
tractor surveyed  is  on  a prime  contractor  or  subcontractor 
level,  whether  the  contractor  employs  the  FMEA  process  as 
required  by  DOD  directives,  and  what  procedures  are  used  to 
specify  the  manner  in  which  the  analysis  is  performed.  This 
information  can  be  used  as  a basis  from  which  to  draw  conclu- 
sions as  to  the  impact  of  the  changes  recommended  in  this 
report.  For  example,  questions  six  and  seven  indicate  the 
references  used  by  the  surveyed  company  in  formulating  the 
procedures  and  show  the  factors  involved  in  the  FMEA.  In 
addition,  the  use  of  the  FMEA  in  the  areas  of  testing  and 
logistics  can  be  determined  by  questions  eleven  through 
fifteen  and  can  indicate  whether  the  FMEA  has  widespread  use 
in  the  company.  The  questionnaire  also  surveys  those  com- 
panies planning  to  introduce  the  FMEA  process  to  determine 
the  direction  of  that  planning. 

A.  QUESTIONNAIRE  INSTRUCTIONS 

Please  indicate  your  response  to  all  applicable  ques- 
tions with  an  "X"  in  the  space  next  to  your  answer.  Certain 
questions  will  contain  directions  based  upon  your  response. 
Primarily,  these  directions  consist  of  PLEASE  PROCEED  with 
the  questionnaire  in  a sequential  manner.  PLEASE  PROCEED  to 
a specified  question  number  without  answering  intermediate 
questions,  or  PLEASE  INDICATE  additional  information.  If  you 
do  not  wish  to  supply  this  additional  information,  please 
enter  "N/R"  in  that  area.  If  you  do  not  wish  to  answer  a 
question,  please  mark  the  numeral  designating  that  question 
with  an  "X".  No  effort  will  be  made  to  "interpret"  your 
reasons  for  not  supplying  extra  information  or  not  answering 
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a question.  The  markings  requested  are  for  ease  in  compiling 
the  data. 

Your  name,  position  and  company  are  optional.  No  use 
will  be  made  of  specific  names,  positions,  or  companies  in 
the  final  report.  This  information  will  only  be  used  to 
determine  population  and  sample  factors  for  statistical  anal- 
ysis of  the  questionnaire. 

NAME : 

POSITION: 

COMPANY : 

THANK  YOU  AND  PLEASE  PROCEED  WITH  THE  QUESTIONNAIRE. 

1.  Is  your  company  involved  with  defense  contracts  from  the 
Department  of  Defense  (DOD)? 

YES  - PLEASE  CONTINUE 

NO  - THANK  YOU.  PLEASE  RETURN  THE  QUESTIONNAIRE 

IN  THE  SUPPLIED  RETURN  ENVELOPE. 

2.  Is  your  company  mainly  involved  on  a prime  contractor  or 
subcontractor  level? 

PRIME  CONTRACTOR 

SUBCONTRACTOR 

BOTH 

3.  Does  your  company  employ  the  process  of  Failure  Mode  and 

Effect  Analysis  (FMEA)  in  connection  with  DOD  contracts? 
YES  - PLEASE  CONTINUE 

NO  - PLEASE  PROCEED  TO  QUESTION  18 

4.  Does  your  company  use  the  nomenclature  Failure  Mode  and 
Effect  Analysis? 

YES 

NO  - PLEASE  INDICATE  THE  NAME  USED: 


5.  Does  your  company  have  its  own  corporate  practices  to 
direct  the  procedures  used  in  this  analysis? 

YES 

NO 


i r- 
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6.  PLEASE  INDICATE  if  any  of  the  following  are  used  in  con- 
junction with,  or  in  place  of,  company  requirements: 

MIL-STD  785A 

MIL-STD  756A 

MIL-HDBK  217 

RADC  RELIABILITY  HANDBOOK 

QUALITY  CONTROL  HANDBOOK 

MIL-STD  882 

NONE  OF  THE  ABOVE 

OTHER : 


7.  PLEASE  INDICATE  which  of  the  factors  listed  below  are 
considered  in  this  analysis: 

OUTPUT  SPECIFICATION/FUNCTIONAL  DISCRIPTION 

FAILURE  MODE 

FAILURE  CAUSE 

SYMPTOMS/DETECTABILITY 

FAILURE  EFFECT 

EXISTING  COMPENSATING  PROVISIONS 

CRITICALITY  FACTOR/CLASSIFICATION 

FAILURE  PROBABILITY 

FAILURE  RATE 

RECOMMENDATIONS 

OTHER : 


8.  PLEASE  INDICATE  which  of  the  following  individuals  are 
directly  involved  with  the  initial  formulation  of  the 
FMEA : 

RELIABILITY  ENGINEER 

DESIGN  ENGINEER 

OTHER : 
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9. 


10. 


11. 


12. 


13. 


14. 


Is  this  analysis  updated  as  design  changes  occur  or  on 
a periodic  basis? 

YES,  as  design  changes  occur 

YES,  on  a periodic  basis 

YES,  based  on  both  of  the  above 

NO,  updates  are  not  accomplished 

If  a failure  probability  or  failure  rate  is  included  in 
the  analysis,  is  this  information  derived  from  the  re- 
liability analysis  or  derived  solely  as  a part  of  the 
FMEA? 

DERIVED  FROM  THE  RELIABILITY  ANALYSIS 

DERIVED  AS  A PART  OF  THE  FMEA 

THIS  INFORMATION  IS  NOT  USED 

Is  the  FMEA  used  by  your  company  in  deriving  a Safety/ 
Hazard  Analysis  of  the  system? 

YES,  directly 

YES,  indirectly 

NO 

Is  the  FMEA  used  by  your  company  in  a logistics  context 
to  determine  such  factors  as  optimum  order  quantities  or 
spare  parts  requirements? 

YES 

NO 

Is  the  information  from  the  FMEA  used  by  your  company  in 
preparing  "in-house"  testing  plans? 

YES 

NO 

PLEASE  INDICATE  if  this  analysis  is  used  in  the  prepara- 
tion of  any  of  the  following: 

FLIGHT  MANUALS 

TROUBLESHOOTING  GUIDES /MANUALS 

MAINTENANCE  MANUALS 

TECHNICAL  ORDERS 

OPERATIONAL  MANUALS 

OTHER : 


t 
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15.  Is  the  information  from  the  FMEA  used  by  your  company 
for  preparing  testing  plans  for  other  than  "in-house" 
purposes,  such  as  those  used  for  operational  test  and 
evaluation? 

YES 

NO 

16.  By  what  means  is  the  FMEA  prepared? 

MANUALLY 

COMPUTER 

BOTH  MANUALLY  AND  BY  COMPUTER 

17.  If  computerization  of  this  analysis  was  shown  to  be 
feasible  and  practical,  would  there  be  sufficient 
interest  in  your  company  for  the  development  of  this 
sof  tware? 

YES 

DOUBTFUL 

NO 

THANK  YOU.  PLEASE  RETURN  THE  QUESTIONNAIRE  IN  THE  SUPPLIED 
RETURN  ENVELOPE. 

18.  Is  your  company  currently  planning  to  implement  a 
Failure  Mode  and  Effect  Analysis  Program  for  application 
to  DOD  contracts? 

YES  - PLEASE  CONTINUE 

NO  - THANK  YOU.  PLEASE  RETURN  THE  QUESTION- 
NAIRE IN  THE  SUPPLIED  RETURN  ENVELOPE. 

19.  In  implementing  this  program,  how  will  your  company 
prepare  the  analysis? 

MANUALLY 

COMPUTER 

BOTH  MANUALLY  AND  BY  COMPUTER 

20.  In  implementing  this  program,  will  your  company  have  its 
own  corporate  practices  to  direct  the  procedures  used? 


YES 

NO 
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21. 


Will  any  of  the  following  be  used  in  conjunction  with, 
or  in  place  of,  company  requirements  for  this  analysis? 


MIL- STD  785A 
MIL-STD  756A 
MIL-HDBK  217 

RADC  RELIABILITY  HANDBOOK 
QUALITY  CONTROL  HANDBOOK 
MIL-STD  882 
NONE  OF  THE  ABOVE 
OTHER : 


THANK  YOU.  PLEASE  RETURN  THE  QUESTIONNAIRE  IN  THE  SUPPLIED 
RETURN  ENVELOPE. 

B.  SUGGESTED  LIST  OF  COMPANIES 

TRW  Systems,  Inc. 

Defense  and  Space  Systems  Group 
Reliability  Division 
One  Space  Park 

Redondo  Beach,  California  90278 

IBM  Corporation 
Federal  Systems  Division 
Reliability  Group 
Bethesda,  Maryland  20034 

Raytheon  Company 

Government  Marketing 

Reliability  Division 

141  Spring  Street 

Lexington,  Massachusetts  02173 

Hydraulic  Research  Textron 
• Department  AF-1 

25200  West  Rye  Canyon  Road 
Valencia,  California  91355 

System  Development  Corporation 
Reliability  Division 
2500  Colorado  Avenue 
Santa  Monica,  California  90406 

Northrup  Corporation 
Reliability  Division 
Ventura  Division 
1515  Rancho  Conejo  Blvd. 

Newbury  Park,  California  91320 
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Motorola 

Government  Electronics  Division 
Reliability  Group 
P.0.  Box  2606 

Scottsdale,  Arizona  85252 

Rockwell  International 
Rocketdyne  Division 
Reliability  Group 
6633  Canoga  Avenue 
Canoga  Park,  California  91304 

Cutler-Hammer 
AIL  Division 
Reliability  Group 
Deer  Park 

Long  Island,  New  York  11729 

GTE  Sylvannia,  Inc. 

Western  Division 
Reliability  Group 
P.0.  Box  205 

Mountain  View,  California  94042 

Bell  Aerospace-Textron 
Reliability  Division 
Buffalo,  New  York  14240 

Westinghouse  Electric  Corporation 
Defense  and  Electronic  Systems  Center 
Reliability  Division 
MS-129A 
P.0.  Box  746 

Baltimore,  Maryland  21203 

Pratt  & Whitney  Aircraft  Group 
Government  Products  Division 
Reliability  Section 
West  Palm  Beach,  Florida  33402 

General  Dynamics 

Pierre  Laclede  Center 

St.  Louis,  Missouri  63105 

Sanders  Associates,  Inc. 

Federal  Systems  Group 
Reliability  Division 
95  Canal  Street 
Nashua,  NH  03061 


Applied  Technology 
Reliability  Division 
645  Almanor  Avenue 
Sunnyvale,  California  94086 

The  Bendix  Corporation 
Aerospace-Electronics  Group 
Reliability  Division 
Dept.  110-B 

1911  North  Fort  Myer  Drive 
Arlington,  Virginia  22209 

Teledyne  CAE 
Reliability  Division 
1330  Laskey  Road 
Toledo,  Ohio  43612 

E-Systems,  Inc. 

Reliability  Division 
P.0.  Box  6030 
Dallas,  Texas  75222 

Hewlett-Packard 
Reliability  Division 
16399  West  Bernardo  Drive 
San  Diego,  CA  92127 

Sikorsky  Aircraft 
Reliability  Division 
Stratford,  Connecticut  06602 

Guidance  & Control  Systems 
Reliability  Division 
5500  Canoga  Avenue 
Woodland  Hills,  California  91364 

Sierra  Research  Corporation 
Reliability  Division 
P.0.  Box  222 

Buffalo,  New  York  14225 

Sperry  Vickers 
Reliability  Division 
Jackson,  Mississippi  39206 

Ex-Cell-0  Corporation 
Aerospace  Division 
Reliability  Group 
2855  Coolidge 
Troy,  Michigan  48084 


Tracor , Inc. 

Applied  Technology  Division 
Reliability  Group 
6500  Tracor  Lane 
Austin,  Texas  78721 

Government  Avionics  Marketing 
Collins  Radio  Group 
Rockwell  International 
Cedar  Rapids,  Iowa  52406 

AiResearch  Manufacturing  Company 
Reliability  Division 
P.O.  Box  5217 
Phoenix,  Arizona  85010 

Aero  Products 

Reliability  Division 

Woodland  Hills,  California  91364 

ALKAN  U.S.A. , Inc. 

Reliability  Division 
6020  Richmond  Highway 
Alexandria,  VA  22303 

Boeing  Company 
P.O.  Box  3707 
Seattle,  WA  98124 


APPENDIX  C 

ADDRESSES  OF  INDIVIDUALS 
INTERVIEWED  FOR  THIS  STUDY 
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Presented  here  are  the  addresses  for  those  individuals 

interviewed  for  this  study.  Throughout  this  listing,  the 

abbreviation  AFB  will  be  used  to  indicate  Air  Force  Base. 

Mr.  W.  0.  Detert 
ASD/ENESR 

Wright-Patterson  AFB,  Ohio  45433 

Mr.  Charles  Dorney 
ASD/YF 

Wright-Patterson  AFB,  Ohio  45433 

Lt . Thomas  Landers 
ASD/YPEX 

Wright-Patterson  AFB,  Ohio  45433 

Mr.  Marion  E.  Merrell 
NB-2 

NASA  Lyndon  B.  Johnson  Space  Center 
Houston,  Texas  77058 

Mr.  W.  P.  Murden 
Reliability  Division 
McDonnell-Douglas  Corporation 
St.  Louis,  Missouri  63166 

Captain  Francis  Stump 
Headquarters  NASA 
Mail  Code  MOE 
Washington,  D.C.  20546 

Mr.  A.  S.  Torgerson 
Reliability  Division 
McDonnell-Douglas  Corporation 
St.  Louis,  Missouri  63166 

Major  James  Wessell 
ASD/YF 

Wright-Patterson  AFB,  Ohio  45433 
Mr.  Henry  L.  Williams 

Chief,  Vehicle  Reliability  Engineering  Branch 
NB-2 

NASA  Lyndon  B.  Johnson  Space  Center 
Houston,  Texas  77058 
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